Skip to main content

Overview

@grantex/gateway is a standalone reverse-proxy that enforces Grantex grant tokens in front of any upstream API. Define routes and required scopes in a YAML config — no code required.

Quick Start

1. Create gateway.yaml:
2. Start the gateway:
3. Make requests with grant tokens:

How It Works

  1. Route matching — finds the first route matching the request method + path
  2. Token verification — extracts the Bearer token, resolves keys from the configured JWKS endpoint, and verifies signature and claims locally
  3. Scope checking — ensures the grant includes all required scopes
  4. Proxy — strips Authorization header, adds upstream headers + X-Grantex-* context, forwards to upstream
  5. Response — returns the upstream response to the client

YAML Config Reference

Route Definition

Path Matching

Context Headers

The gateway adds these headers to every upstream request: Your upstream API can use these to apply fine-grained business logic without re-verifying the token.

Error Responses

All errors return JSON with error and message fields:

CLI Usage

Library API

Use the gateway programmatically in your own server:

Docker Deployment

Example: Protecting a Calendar API

Last modified on July 11, 2026