Overview
Theverify_grant_token() function verifies a Grantex grant token’s signature
and claims locally after retrieving the published JSON Web Key Set (JWKS). It
avoids the online verification/revocation endpoint, but the current standalone
helper fetches the remote JWKS on every invocation and is not network-free.
This is ideal for service-side verification where latency matters and you want to avoid an API round-trip for every request.
Hosted tokens use the canonical issuer
https://grantex.dev, even though the
stable JWKS URL is served from https://api.grantex.dev. The SDK handles this
alias automatically. For self-hosted deployments, it derives the expected
issuer from the JWKS URL unless you set issuer or issuer_did explicitly.Usage
Import
Options
VerifyGrantTokenOptions configures how the token is verified:
Response
verify_grant_token() returns a VerifiedGrant frozen dataclass:
Algorithm
The algorithm is fixed to RS256 per SPEC section 11. Tokens signed with any other algorithm are rejected. This cannot be overridden.Examples
Basic Verification
Require Specific Scopes
With Audience and Clock Tolerance
Verifying Delegated Tokens
Delegated tokens include additional claims for the delegation chain:Error Handling
verify_grant_token() raises GrantexTokenError in the following cases:
- The token header uses an algorithm other than RS256
- The JWKS endpoint is unreachable or returns invalid data
- No matching RSA key is found in the JWKS
- The token signature is invalid
- The token is expired
- The token issuer does not match the expected issuer
- The token audience does not match
audience, when configured - Required claims (
jti,sub,agt,dev,scp,iat,exp) are missing - Required scopes are not present in the token