Overview
Grantex tokens are standard JWTs (RS256) extended with agent-specific claims. Any service can verify them locally using the published JWKS, without a per-token call to the Grantex verification API. Verifiers still need the public keys, fetched from the issuer and cached according to their SDK’s behavior.Decoded Example
Standard Claims
Grantex-Specific Claims
The hosted service publishes keys at
https://api.grantex.dev/.well-known/jwks.json, but its canonical iss value is
https://grantex.dev. Current SDKs recognize that stable JWKS alias
automatically. Custom verifiers must validate the canonical issuer explicitly.
Delegation Claims
Present on tokens issued to sub-agents viagrants.delegate():
Verification
Grant tokens can be verified two ways:Offline (recommended)
Verify the RS256 signature locally using the published JWKS. This avoids the online token-verification API, although the verifier may still need to retrieve the current public keys from the JWKS endpoint.Online
Call the Grantex API for real-time revocation status:Security
- Algorithm pinning: RS256 is hardcoded in all three verification layers (auth service, TypeScript SDK, Python SDK). The
algheader in the token cannot override this. - Replay prevention: Every token’s
jtiis tracked. Presenting a previously-seenjtireturnsvalid: false. - Minimum key size: The auth service enforces a minimum 2048-bit RSA modulus on all signing keys.