Skip to main content

Overview

verifyGrantToken() is a standalone function that verifies signatures and claims locally after retrieving the published JWKS (JSON Web Key Set). It validates the RS256 signature, issuer, expiry, and optional scopes and audience. The current standalone helper resolves the remote JWKS on each invocation, so it is not a network-free hot path. Use it when signature-and-claim validation without a revocation lookup is the right trade-off. It avoids POST /v1/tokens/verify, but the JWKS endpoint must be reachable for each standalone helper call.
The standalone helper may contact the JWKS endpoint when it resolves keys. Keep that endpoint reachable from the verifying service; token validation itself is performed locally and does not call POST /v1/tokens/verify.
Hosted tokens use the canonical issuer https://grantex.dev, even though the stable JWKS URL is served from https://api.grantex.dev. The SDK handles this alias automatically. For self-hosted deployments, it derives the expected issuer from the JWKS URL unless you set issuer or issuerDid explicitly.

Import

This function does not require a Grantex client instance.

Parameters

token
string
required
The grant token JWT string to verify.
options
VerifyGrantTokenOptions
required
Verification options.

VerifyGrantTokenOptions

jwksUri
string
required
The JWKS endpoint URL. For the hosted service, use https://api.grantex.dev/.well-known/jwks.json.
requiredScopes
string[]
If provided, the function throws GrantexTokenError when the token is missing any of these scopes.
audience
string
Expected aud claim. If provided, verification fails when the token’s audience does not match.
issuer
string
Expected iss claim. The hosted JWKS alias automatically expects https://grantex.dev; custom JWKS URLs derive the issuer from their URL when this option is omitted.
issuerDid
string
A did:web issuer identifier. When provided, the SDK derives both the JWKS URL and expected issuer from the DID. An explicit issuer still takes precedence.
clockTolerance
number
Optional clock-skew tolerance, in seconds, for time-based JWT claims.

Response: VerifiedGrant

tokenId
string
Unique token ID (the jti JWT claim).
grantId
string
The grant record ID (from the grnt claim, falls back to jti).
principalId
string
The end-user who authorized the agent (the sub claim).
agentDid
string
The agent’s decentralized identifier (the agt claim).
developerId
string
The developer organization that owns the agent (the dev claim).
scopes
string[]
The scopes granted to the agent (the scp claim).
issuedAt
number
Token issued-at timestamp in seconds since the Unix epoch.
expiresAt
number
Token expiry timestamp in seconds since the Unix epoch.
parentAgentDid
string
The parent agent’s DID, present only for delegated grants.
parentGrantId
string
The parent grant ID, present only for delegated grants.
delegationDepth
number
The delegation depth (0 = root grant, 1 = first-level delegation, etc.). Present only for delegated grants.

Error handling

verifyGrantToken() throws GrantexTokenError in the following cases:
  • The JWT signature is invalid
  • The token has expired
  • The token issuer does not match the expected issuer
  • Required claims (jti, sub, agt, dev, scp, iat, exp) are missing
  • The token is missing one or more requiredScopes
  • The audience does not match

JWT claims mapping

The following table shows how JWT claims map to VerifiedGrant fields:

Comparison with online verification

Last modified on July 11, 2026