Something like AWS EC2 identity documents (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) providing a cryptographically signed summary of a Metal instance's attributes.

Exposing this via the machine-facing metadata endpoint would provide a useful Secret Zero for authentication.