Skip to main content

Overview

The verify_grant_token() function verifies a Grantex grant token’s signature and claims locally after retrieving the published JSON Web Key Set (JWKS). It avoids the online verification/revocation endpoint, but the current standalone helper fetches the remote JWKS on every invocation and is not network-free. This is ideal for service-side verification where latency matters and you want to avoid an API round-trip for every request.
Hosted tokens use the canonical issuer https://grantex.dev, even though the stable JWKS URL is served from https://api.grantex.dev. The SDK handles this alias automatically. For self-hosted deployments, it derives the expected issuer from the JWKS URL unless you set issuer or issuer_did explicitly.

Usage

Import

Options

VerifyGrantTokenOptions configures how the token is verified:

Response

verify_grant_token() returns a VerifiedGrant frozen dataclass:

Algorithm

The algorithm is fixed to RS256 per SPEC section 11. Tokens signed with any other algorithm are rejected. This cannot be overridden.

Examples

Basic Verification

Require Specific Scopes

With Audience and Clock Tolerance

Verifying Delegated Tokens

Delegated tokens include additional claims for the delegation chain:

Error Handling

verify_grant_token() raises GrantexTokenError in the following cases:
  • The token header uses an algorithm other than RS256
  • The JWKS endpoint is unreachable or returns invalid data
  • No matching RSA key is found in the JWKS
  • The token signature is invalid
  • The token is expired
  • The token issuer does not match the expected issuer
  • The token audience does not match audience, when configured
  • Required claims (jti, sub, agt, dev, scp, iat, exp) are missing
  • Required scopes are not present in the token
Last modified on July 11, 2026