Skip to main content
This guide covers security best practices for integrating Grantex into production applications. Following these recommendations helps protect your users, agents, and data.

Token Storage

Grant tokens are RS256 JWTs. Where you store them depends on your threat model:
Never store grant tokens in browser localStorage, cookies, or client-side storage. Grant tokens are meant for server-side agent code only.

Refresh Token Storage

Refresh tokens have a 30-day TTL and are single-use. Store them with the same care as API keys:
  • Encrypt at rest (e.g., envelope encryption with a KMS)
  • Restrict access to the service that performs token refresh
  • Never log refresh tokens — redact them in your logging pipeline

Scope Design

Design scopes using the resource:action pattern with least privilege:
Principles:
  • Request only what you need — agents should declare the minimum scopes required for their task
  • Prefer read over write — if the agent only needs to read data, don’t request write access
  • Use parameterized scopespayments:initiate:max_500 is safer than payments:initiate
  • Review scope requests in the consent UI — users see exactly what the agent is requesting

Revocation Handling

Tokens can be revoked at any time by the user or developer. Your agent should handle revocation gracefully:
Best practices:
  • Listen for the grant.revoked webhook event to react in real time
  • On 401, do not retry — the token has been permanently invalidated
  • Clean up any cached tokens after revocation

Delegation Security

When delegating grants to sub-agents (SPEC §9):
  • Minimize delegation depth — each layer adds risk. Keep delegationDepth as low as possible
  • Always narrow scopes — the sub-agent should have fewer scopes than the parent
  • Verify the chain — use verifyGrantToken() to inspect parentAgentDid and delegationDepth claims
  • Set short expiry — delegated grants should expire before the parent grant

PKCE

Always use PKCE (Proof Key for Code Exchange) with S256 in production:
PKCE prevents authorization code interception attacks. Without it, an attacker who intercepts the code can exchange it for a grant token.

Audit Trail Best Practices

The audit log is your forensic record. Use it proactively:
  • Log every sensitive action — file access, payment initiation, data deletion
  • Include metadata — resource IDs, amounts, user-facing descriptions
  • Use appropriate status valuessuccess, failure, or blocked
  • Query audit entries regularly — detect anomalies before they become incidents
  • Enable the anomaly detection worker — it flags rate spikes, high failure rates, and off-hours activity automatically

Key Rotation

  • Rotate your Grantex API key periodically using POST /v1/keys/rotate
  • After rotation, update all services that use the old key
  • The old key is immediately invalidated — plan for a brief deployment window

Summary Checklist

Store tokens in memory or encrypted server-side stores
Use resource:action scope format with least privilege
Handle 401 gracefully — never retry revoked tokens
Minimize delegation depth and always narrow scopes
Always use PKCE S256 in production
Log all sensitive agent actions to the audit trail
Enable webhooks for grant.revoked events
Rotate API keys periodically
Last modified on July 11, 2026