Skip to main content

Install

Quick Start

Two lines of middleware protect your entire API:
After requireGrantToken() succeeds, every downstream handler can access req.grant — a fully typed VerifiedGrant object containing the principal, agent, scopes, and timestamps.

How It Works

  1. requireGrantToken() extracts the Bearer token from the Authorization header
  2. It resolves the signing key from the configured JWKS endpoint and verifies the RS256 signature and claims locally
  3. On success, req.grant is populated and next() is called
  4. requireScopes() checks that req.grant.scopes contains every required scope
  5. If any scope is missing, it returns a 403 Forbidden response

Factory Pattern

Use createGrantex() to avoid repeating the same options on every route:
You can still override options per-route:

Custom Token Extraction

By default, the middleware reads the Authorization: Bearer <token> header. You can override this:

Custom Error Handling

Provide an onError callback to customize error responses:

Error Codes


req.grant Reference

After requireGrantToken() succeeds, req.grant contains a VerifiedGrant:

Full Example

A complete Express API protected by Grantex:

TypeScript Support

Import GrantexRequest for typed route handlers:
All types are exported:

Requirements

  • Node.js 18+
  • Express 4.18+
  • @grantex/sdk >= 0.1.0
Last modified on July 11, 2026