Overview
verifyGrantToken() is a standalone function that verifies signatures and claims
locally after retrieving the published JWKS (JSON Web Key Set). It validates the
RS256 signature, issuer, expiry, and optional scopes and audience. The current
standalone helper resolves the remote JWKS on each invocation, so it is not a
network-free hot path.
Use it when signature-and-claim validation without a revocation lookup is the
right trade-off. It avoids POST /v1/tokens/verify, but the JWKS endpoint must be
reachable for each standalone helper call.
The standalone helper may contact the JWKS endpoint when it resolves keys.
Keep that endpoint reachable from the verifying service; token validation
itself is performed locally and does not call
POST /v1/tokens/verify.Hosted tokens use the canonical issuer
https://grantex.dev, even though the
stable JWKS URL is served from https://api.grantex.dev. The SDK handles this
alias automatically. For self-hosted deployments, it derives the expected
issuer from the JWKS URL unless you set issuer or issuerDid explicitly.Import
Grantex client instance.
Parameters
The grant token JWT string to verify.
Verification options.
VerifyGrantTokenOptions
The JWKS endpoint URL. For the hosted service, use
https://api.grantex.dev/.well-known/jwks.json.If provided, the function throws
GrantexTokenError when the token is missing any of these scopes.Expected
aud claim. If provided, verification fails when the token’s audience does not match.Expected
iss claim. The hosted JWKS alias automatically expects
https://grantex.dev; custom JWKS URLs derive the issuer from their URL when
this option is omitted.A
did:web issuer identifier. When provided, the SDK derives both the JWKS URL
and expected issuer from the DID. An explicit issuer still takes precedence.Optional clock-skew tolerance, in seconds, for time-based JWT claims.
Response: VerifiedGrant
Unique token ID (the
jti JWT claim).The grant record ID (from the
grnt claim, falls back to jti).The end-user who authorized the agent (the
sub claim).The agent’s decentralized identifier (the
agt claim).The developer organization that owns the agent (the
dev claim).The scopes granted to the agent (the
scp claim).Token issued-at timestamp in seconds since the Unix epoch.
Token expiry timestamp in seconds since the Unix epoch.
The parent agent’s DID, present only for delegated grants.
The parent grant ID, present only for delegated grants.
The delegation depth (
0 = root grant, 1 = first-level delegation, etc.). Present only for delegated grants.Error handling
verifyGrantToken() throws GrantexTokenError in the following cases:
- The JWT signature is invalid
- The token has expired
- The token issuer does not match the expected issuer
- Required claims (
jti,sub,agt,dev,scp,iat,exp) are missing - The token is missing one or more
requiredScopes - The
audiencedoes not match
JWT claims mapping
The following table shows how JWT claims map toVerifiedGrant fields: