Skip to main content

Overview

The tokens client provides four operations for managing grant tokens:
  • Exchange an authorization code for a grant token
  • Refresh a grant token using a refresh token
  • Verify a grant token online via the Grantex API
  • Revoke a grant token by its token ID (JTI)
Access the tokens client via client.tokens.

Exchange

Exchange an authorization code for a grant token after the user approves the consent request.

ExchangeTokenParams

ExchangeTokenResponse

Exchange with PKCE

Refresh

Refresh a grant token using a refresh token. Returns a new grant token and a new refresh token (the old refresh token is invalidated). The grant_id stays the same. Refresh tokens are single-use and rotated on every refresh per SPEC §7.4.

RefreshTokenParams

Response

Returns an ExchangeTokenResponse — same shape as exchange(). See above for field descriptions.
Each refresh token can only be used once. If you attempt to reuse a refresh token, the request will be rejected with a 400 error. Always store and use the new refresh_token from the response.

Verify

Verify a grant token online via the Grantex API. This sends the token to the server for validation and returns the token’s metadata.

VerifyTokenResponse

For local signature-and-claim verification without the online revocation endpoint, use verify_grant_token(). The standalone helper still fetches the remote JWKS on every invocation.

Revoke

Revoke a grant token by its token ID (JTI claim). The token is immediately invalidated and can no longer be used.

Parameters

The method returns None. A GrantexApiError is raised if the token does not exist or has already been revoked.

Complete Flow Example

Last modified on July 11, 2026