Biscuits are in the same family as macaroons in that they are bearer tokens that can be attenuated offline, but they go further. A biscuit carries a chain of signed “blocks” that can contain facts, rules, and checks in a small Datalog-like logic language. That lets the token itself express richer authorization context, not just restrictions.

Key differences from macaroons:

- Crypto model: Macaroons use HMAC, so every verifier needs the shared secret. Biscuits use public/private keypairs so any verifier with the public key can check validity.

- Expressiveness: Macaroons only add caveats (restrictions). Biscuits can encode facts, rules, and checks, enabling more complex policies to travel with the token. so you can attest and attenuate (and do some other tricky stuff if you want)

- Delegation: Both support attenuation, but biscuits do it with signed blocks that are verifiable and can be chained across services.

So conceptually similar, but biscuits aim to be more decentralized and policy-rich.