Skip to main content

Overview

VerifyGrantToken verifies a grant token JWT locally using the Grantex JWKS endpoint. This avoids an API call per request and is ideal for high-throughput services. 
grant, err := grantex.VerifyGrantToken(ctx, tokenString, grantex.VerifyOptions{
    JwksURI: "https://api.grantex.dev/.well-known/jwks.json",
})
if err != nil {
    log.Fatal(err)
}
fmt.Printf("Principal: %s, Scopes: %v\n", grant.PrincipalID, grant.Scopes)

Options

FieldTypeRequiredDescription
JwksURIstringYesURL to fetch the JWKS from
RequiredScopes[]stringNoScopes the token must contain
AudiencestringNoExpected aud claim
ClockTolerancetime.DurationNoTolerance for clock skew

Response (VerifiedGrant)

FieldTypeDescription
TokenIDstringJWT jti claim
GrantIDstringGrant ID (grnt claim, falls back to jti)
PrincipalIDstringEnd-user (sub claim)
AgentDIDstringAgent DID (agt claim)
DeveloperIDstringDeveloper (dev claim)
Scopes[]stringGranted scopes (scp claim)
IssuedAtint64Unix timestamp
ExpiresAtint64Unix timestamp
ParentAgentDID*stringParent agent for delegated grants
ParentGrantID*stringParent grant for delegated grants
DelegationDepth*intDelegation depth (0 = root)

Scope Checking

grant, err := grantex.VerifyGrantToken(ctx, token, grantex.VerifyOptions{
    JwksURI:        "https://api.grantex.dev/.well-known/jwks.json",
    RequiredScopes: []string{"read:email", "send:email"},
})
// Returns *TokenError if any required scope is missing

Error Handling

Returns *grantex.TokenError for:
  • Missing or invalid JWKS URI
  • Expired tokens
  • Invalid signatures
  • Missing required scopes
  • Malformed JWTs