Skip to main content

Overview

The tokens sub-client handles the token lifecycle: exchanging authorization codes for grant tokens, verifying tokens via the API, and revoking tokens.

tokens.exchange()

Exchange an authorization code for a signed grant token (RS256 JWT).

Parameters

code
string
required
The authorization code received at your redirectUri after user consent.
agentId
string
required
The ID of the agent that initiated the authorization request.
codeVerifier
string
The PKCE code verifier. Required if codeChallenge was provided in the authorize step. See PKCE.

Response: ExchangeTokenResponse

grantToken
string
The signed RS256 JWT grant token. Pass this to your agent for use in API calls.
grantId
string
The unique grant record ID.
scopes
string[]
The scopes granted by the user.
expiresAt
string
ISO 8601 timestamp when the grant token expires.
refreshToken
string
A refresh token for obtaining new grant tokens without re-authorization.

tokens.refresh()

Refresh a grant token using a refresh token. Returns a new grant token and a new refresh token (the old refresh token is invalidated). The grantId stays the same. Refresh tokens are single-use and rotated on every refresh per SPEC §7.4.

Parameters

refreshToken
string
required
The refresh token from a previous exchange() or refresh() response.
agentId
string
required
The agent ID associated with the grant.

Response: ExchangeTokenResponse

Returns the same shape as exchange() — see above for field descriptions.
Each refresh token can only be used once. If you attempt to reuse a refresh token, the request will be rejected with a 400 error. Always store and use the new refreshToken from the response.

tokens.verify()

Verify a grant token online via the Grantex API. This is useful when you want server-side validation without managing JWKS yourself.

Parameters

token
string
required
The grant token JWT string to verify.

Response: VerifyTokenResponse

valid
boolean
Whether the token is valid and not expired/revoked.
grantId
string
The grant record ID (present when valid is true).
scopes
string[]
The granted scopes.
principal
string
The user (principal) who authorized the grant.
agent
string
The agent DID that holds the grant.
expiresAt
string
ISO 8601 timestamp when the token expires.
For local signature-and-claim verification without the online revocation endpoint, use verifyGrantToken(). The standalone helper still resolves the remote JWKS on each call.

tokens.revoke()

Revoke a token by its token ID (the jti claim). The API responds with 204 No Content.

Parameters

tokenId
string
required
The token ID (jti claim from the JWT) to revoke.

Response

Returns void. The token is immediately invalidated.

Full example

Last modified on July 11, 2026