diff --git a/proto/spire/plugin/types/jwtkey.pb.go b/proto/spire/plugin/types/jwtkey.pb.go
index f8fa055..c1eee93 100644
--- a/proto/spire/plugin/types/jwtkey.pb.go
+++ b/proto/spire/plugin/types/jwtkey.pb.go
@@ -32,6 +32,8 @@ type JWTKey struct {
 	// When the key expires (seconds since Unix epoch). If zero, the key does
 	// not expire.
 	ExpiresAt int64 `protobuf:"varint,3,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"`
+	// Indicates if the key has been tainted. A tainted key is not safe to be used anymore.
+	Tainted bool `protobuf:"varint,4,opt,name=tainted,proto3" json:"tainted,omitempty"`
 }
 
 func (x *JWTKey) Reset() {
@@ -87,23 +89,32 @@ func (x *JWTKey) GetExpiresAt() int64 {
 	return 0
 }
 
+func (x *JWTKey) GetTainted() bool {
+	if x != nil {
+		return x.Tainted
+	}
+	return false
+}
+
 var File_spire_plugin_types_jwtkey_proto protoreflect.FileDescriptor
 
 var file_spire_plugin_types_jwtkey_proto_rawDesc = []byte{
 	0x0a, 0x1f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x74,
 	0x79, 0x70, 0x65, 0x73, 0x2f, 0x6a, 0x77, 0x74, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x12, 0x12, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e,
-	0x74, 0x79, 0x70, 0x65, 0x73, 0x22, 0x5d, 0x0a, 0x06, 0x4a, 0x57, 0x54, 0x4b, 0x65, 0x79, 0x12,
+	0x74, 0x79, 0x70, 0x65, 0x73, 0x22, 0x77, 0x0a, 0x06, 0x4a, 0x57, 0x54, 0x4b, 0x65, 0x79, 0x12,
 	0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x15,
 	0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
 	0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73,
 	0x5f, 0x61, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72,
-	0x65, 0x73, 0x41, 0x74, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
-	0x6f, 0x6d, 0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2d,
-	0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2d, 0x73, 0x64, 0x6b, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x74, 0x79,
-	0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x65, 0x73, 0x41, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x3d,
+	0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x70, 0x69,
+	0x66, 0x66, 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2d, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x2d, 0x73, 0x64, 0x6b, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65,
+	0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
diff --git a/proto/spire/plugin/types/jwtkey.proto b/proto/spire/plugin/types/jwtkey.proto
index 414760f..74683dd 100644
--- a/proto/spire/plugin/types/jwtkey.proto
+++ b/proto/spire/plugin/types/jwtkey.proto
@@ -12,4 +12,7 @@ message JWTKey {
     // When the key expires (seconds since Unix epoch). If zero, the key does
     // not expire.
     int64 expires_at = 3;
+
+    // Indicates if the key has been tainted. A tainted key is not safe to be used anymore.
+    bool tainted = 4;
 }
diff --git a/proto/spire/plugin/types/x509certificate.pb.go b/proto/spire/plugin/types/x509certificate.pb.go
index 06701d5..db33409 100644
--- a/proto/spire/plugin/types/x509certificate.pb.go
+++ b/proto/spire/plugin/types/x509certificate.pb.go
@@ -27,6 +27,8 @@ type X509Certificate struct {
 
 	// The ASN.1 DER encoded bytes of the X.509 certificate.
 	Asn1 []byte `protobuf:"bytes,1,opt,name=asn1,proto3" json:"asn1,omitempty"`
+	// Indicates if the authority has been tainted. A tainted authority is not safe to be used anymore.
+	Tainted bool `protobuf:"varint,2,opt,name=tainted,proto3" json:"tainted,omitempty"`
 }
 
 func (x *X509Certificate) Reset() {
@@ -68,20 +70,29 @@ func (x *X509Certificate) GetAsn1() []byte {
 	return nil
 }
 
+func (x *X509Certificate) GetTainted() bool {
+	if x != nil {
+		return x.Tainted
+	}
+	return false
+}
+
 var File_spire_plugin_types_x509certificate_proto protoreflect.FileDescriptor
 
 var file_spire_plugin_types_x509certificate_proto_rawDesc = []byte{
 	0x0a, 0x28, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x74,
 	0x79, 0x70, 0x65, 0x73, 0x2f, 0x78, 0x35, 0x30, 0x39, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
 	0x63, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x12, 0x73, 0x70, 0x69, 0x72,
-	0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x22, 0x25,
+	0x65, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x22, 0x3f,
 	0x0a, 0x0f, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
 	0x65, 0x12, 0x12, 0x0a, 0x04, 0x61, 0x73, 0x6e, 0x31, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52,
-	0x04, 0x61, 0x73, 0x6e, 0x31, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
-	0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65,
-	0x2d, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2d, 0x73, 0x64, 0x6b, 0x2f, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x74,
-	0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x04, 0x61, 0x73, 0x6e, 0x31, 0x12, 0x18, 0x0a, 0x07, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42,
+	0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x70,
+	0x69, 0x66, 0x66, 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2d, 0x70, 0x6c, 0x75, 0x67, 0x69,
+	0x6e, 0x2d, 0x73, 0x64, 0x6b, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x73, 0x70, 0x69, 0x72,
+	0x65, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
diff --git a/proto/spire/plugin/types/x509certificate.proto b/proto/spire/plugin/types/x509certificate.proto
index 20396f8..c639ba5 100644
--- a/proto/spire/plugin/types/x509certificate.proto
+++ b/proto/spire/plugin/types/x509certificate.proto
@@ -5,4 +5,7 @@ option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/types
 message X509Certificate {
     // The ASN.1 DER encoded bytes of the X.509 certificate.
     bytes asn1 = 1;
+
+    // Indicates if the authority has been tainted. A tainted authority is not safe to be used anymore.
+    bool tainted = 2;
 }