Offline Verification
This mode validates the JWT signature and claims locally after obtaining public keys from the JWKS endpoint. It avoids the online token-verification/revocation endpoint. The current standalone TypeScript, Python, and Go helpers fetch or resolve the remote JWKS for each invocation, so do not treat them as network-free or assume zero-latency hot-path behavior. How it works:- Resolve the public keys from
/.well-known/jwks.json - Verify the RS256 signature against the public key
- Check
exp,iss, and optionallyaudand required scopes - Return the decoded claims
The JWKS endpoint (
/.well-known/jwks.json) is exempt from rate limits. You can fetch it as often as needed.Hosted grant tokens have
iss: https://grantex.dev, while the stable JWKS alias
is https://api.grantex.dev/.well-known/jwks.json. Current SDKs recognize this
alias automatically. For a self-hosted issuer, configure the expected issuer
explicitly or use the SDK’s custom-JWKS issuer derivation.Online Verification
Online verification callsPOST /v1/tokens/verify, which checks the signature, expiry, and real-time revocation status on the server.
Best for: High-stakes operations (payments, data deletion, privilege escalation).
Hybrid Approach
The hybrid strategy uses local signature-and-claim verification first and calls the online endpoint for sensitive operations. With the standalone helpers, the first step can still include a JWKS network request.Caching Verification Results
Per SPEC §7.4, you may cache online verification results for up to 5 minutes. This reduces API calls while keeping revocation lag acceptable.Choosing a Strategy
Recommendation: Choose based on revocation requirements. Use local
signature-and-claim verification for lower-risk decisions and the online endpoint
for writes or sensitive scopes. For high-volume hot paths, do not assume the
standalone helper provides a persistent JWKS cache; design key caching and
rotation refresh explicitly.