Skip to main content

Overview

Grantex tokens are standard JWTs (RS256) extended with agent-specific claims. Any service can verify them locally using the published JWKS, without a per-token call to the Grantex verification API. Verifiers still need the public keys, fetched from the issuer and cached according to their SDK’s behavior.

Decoded Example

Standard Claims

Grantex-Specific Claims

The hosted service publishes keys at https://api.grantex.dev/.well-known/jwks.json, but its canonical iss value is https://grantex.dev. Current SDKs recognize that stable JWKS alias automatically. Custom verifiers must validate the canonical issuer explicitly.

Delegation Claims

Present on tokens issued to sub-agents via grants.delegate():

Verification

Grant tokens can be verified two ways: Verify the RS256 signature locally using the published JWKS. This avoids the online token-verification API, although the verifier may still need to retrieve the current public keys from the JWKS endpoint.

Online

Call the Grantex API for real-time revocation status:

Security

  • Algorithm pinning: RS256 is hardcoded in all three verification layers (auth service, TypeScript SDK, Python SDK). The alg header in the token cannot override this.
  • Replay prevention: Every token’s jti is tracked. Presenting a previously-seen jti returns valid: false.
  • Minimum key size: The auth service enforces a minimum 2048-bit RSA modulus on all signing keys.
Last modified on July 11, 2026