I'm working on hessra.net, a token-based authorization system for machines and built using biscuits. The idea is that any service/machine/IoT device can authenticate to the service and get authorization tokens for each request based on policy. Then the tokens can be included with the request and verified without any further RTTs using the service's public key. The tokens are meant to be single-use and scoped to a single request.

Besides the simple "get token and send to a thing that uses it to authorize a request" there's a couple of things we've built/are building on top:

service-chains: for a given resource, you can configure the token so that it needs to be signed by notable components along the path of the request, and at each step along the path check that it was signed by expected components up to that point. the thinking is this could really cut down on lateral movement in a system

multi-party authorization: for a given resource, you can configure N authorization services that also need to sign the token based on their policy. the token only authorizes if all parties have signed it. this could be useful for managing capabilities of software deployed into customer environments or perhaps for b2b agents to get signoff from both b's for doing an action