Tokens · the wire format

RS256 · single-use · TTL-bounded.

An Authority Token is the wire format that authorizes execution. It is a JWS — header, payload, signature — that the connector verifies against the tenant’s public key. Click any segment below to inspect its claims.

Authority Token · RS256 · issued — LOCALtyp: AUTH

Header · the JWS algorithm + token type

contents{ "alg": "RS256", "typ": "AUTH" }

algRS256 · RSA-SHA256, 2048-bit, tenant-scoped key

typAUTH · authority-scoped, single-use

Live · single-use · 10 min ttl

Verify on jwt.io →

02 · Properties

RS256

4096-bit, tenant-scoped

single-use

replay refused at connector

10 min

default TTL · configurable

kid-pinned

tenant public-key verify

03 · What the connector checks

01 · Signature

Tenant public key

RSASSA-PKCS1-v1_5 with SHA-256 over the header.payload signing input. Verified against the kid-pinned tenant public key; a per-tenant /.well-known/jwks.json route is shipping soon.

02 · TTL

Not past `exp`

10-minute default. The connector refuses anything past expiry. No grace window.

03 · Intent hash

Matches declared action

The intent_hash claim binds the token to the specific action it was issued for.

04 · Revocation

Not in revoke list

Tokens can be revoked mid-TTL. Connectors check the revocation registry as part of verification.

Watch one mint.

Watch the ceremony Read the spec