Overview
VerifyGrantToken verifies a grant token JWT locally using keys from the Grantex
JWKS endpoint. It avoids the online token-verification endpoint, including its
revocation lookup.
The standalone helper fetches keys from the configured JWKS endpoint on every
verification call, so that endpoint must be reachable. It does not call the
online token-verification/revocation API, but it is not network-free.
Options
Hosted tokens use the canonical issuer
https://grantex.dev, even though the
stable JWKS URL is served from https://api.grantex.dev. The SDK handles this
alias automatically.
Response (VerifiedGrant)
Scope Checking
Error Handling
Returns*grantex.TokenError for:
- Missing or invalid JWKS URI
- Expired tokens
- Invalid signatures
- Issuer or audience mismatches
- Missing or incorrectly typed required claims (
jti,sub,agt,dev,scp,iat,exp) - Missing required scopes
- Malformed JWTs