Skip to main content
Grantex supports two verification approaches, each with different trade-offs. This guide helps you pick the right strategy — or combine them.

Offline Verification

This mode validates the JWT signature and claims locally after obtaining public keys from the JWKS endpoint. It avoids the online token-verification/revocation endpoint. The current standalone TypeScript, Python, and Go helpers fetch or resolve the remote JWKS for each invocation, so do not treat them as network-free or assume zero-latency hot-path behavior. How it works:
  1. Resolve the public keys from /.well-known/jwks.json
  2. Verify the RS256 signature against the public key
  3. Check exp, iss, and optionally aud and required scopes
  4. Return the decoded claims
Best for: High-velocity endpoints, latency-sensitive paths, reducing API calls.
Trade-off: Offline verification does not check the revocation list. A revoked token will still pass offline verification until it expires.
The JWKS endpoint (/.well-known/jwks.json) is exempt from rate limits. You can fetch it as often as needed.
Hosted grant tokens have iss: https://grantex.dev, while the stable JWKS alias is https://api.grantex.dev/.well-known/jwks.json. Current SDKs recognize this alias automatically. For a self-hosted issuer, configure the expected issuer explicitly or use the SDK’s custom-JWKS issuer derivation.

Online Verification

Online verification calls POST /v1/tokens/verify, which checks the signature, expiry, and real-time revocation status on the server. Best for: High-stakes operations (payments, data deletion, privilege escalation).
Trade-off: Adds network latency and counts against the applicable rate limits, including the active Fastify per-IP policy (the 5,000 requests/minute default on this route) and, for standard developer API-key calls, the caller’s additional plan budget.

Hybrid Approach

The hybrid strategy uses local signature-and-claim verification first and calls the online endpoint for sensitive operations. With the standalone helpers, the first step can still include a JWKS network request.

Caching Verification Results

Per SPEC §7.4, you may cache online verification results for up to 5 minutes. This reduces API calls while keeping revocation lag acceptable.
Do not cache for longer than 5 minutes. Revoked tokens must be detected within a reasonable window.

Choosing a Strategy

Recommendation: Choose based on revocation requirements. Use local signature-and-claim verification for lower-risk decisions and the online endpoint for writes or sensitive scopes. For high-volume hot paths, do not assume the standalone helper provides a persistent JWKS cache; design key caching and rotation refresh explicitly.

Token Refresh

When a grant token expires, use the refresh token to obtain a new one without re-prompting the user:
Refresh tokens are single-use. Each refresh returns a new refresh token, forming a rotation chain. If a refresh token is used twice, the second attempt is rejected — this detects token theft.
Last modified on July 14, 2026