= Macaroons (computer science) =

In computer security, a macaroon is an authorization credential that supports decentralized delegation between principals.

Macaroons are used in a variety of systems, including the Ubuntu Snappy package manager, the HyperDex data store, the Matrix communication protocol, and the Python Package Index.

==Claims==

A macaroon is composed of series of "caveats", for example:

- may upload files to /user/A/ (issued by server)
- only to /user/A/album/123 (derived by A)
- only GIFs, up to 1MB (derived by B)
- until noon today (derived by C)

The macaroon model doesn't specify the language for these caveats; The original paper proposes a model of subjects and rights, but the details are left to individual implementations.

== Related technologies ==
Macaroons are similar to some other technologies.

Compared to JSON Web Token (JWT):
- Holder of macaroon can issue a sub-macaroon with smaller power, while JWT is fixed
- Macaroon is notably longer than JWT
- Macaroon is equivalent to signed JWT, but does not offer equivalent to encrypted JWT
Compared to Certificates
- Macaroons are based on a symmetric model, while certificates on asymmetric
- Macaroons are computationally cheaper and require simpler cryptographic primitives
- Using a macaroon (sent to a server) can disclose some private information held by the macaroon holder, meaning that server must be trusted; Using a certificate means signing a payload using a private key, which is not sent to the server, thus communication with untrusted servers is less risky.

==Invalidation==

Implementations need to decide whether the entire macaroon tree is invalidated at once from its root, the server secret key; or if intermediate macaroons are to be blacklisted, comparable to time-bound JWT's.

==See also==

- Authorization
- HTTP cookie
- OAuth
- OpenID
- Simple public-key infrastructure
