Function: createAccessTokenVerifier()
createAccessTokenVerifier(
options): (token) =>Promise<VerifiedAccessToken|null>
Defined in: createAccessTokenVerifier.ts:61
Builds a verifier for opaque, server-stored access tokens on top of an AccessTokenStore. It hashes the presented bearer token, looks it up by hash, and enforces:
- No plaintext — only the hash crosses the store boundary, so neither the verifier nor the database ever holds a usable token.
- Default-deny — an unknown or expired token resolves to
nullwithout revealing whether it ever existed. - Expiry — a token past
expiresAtis rejected;expiresAt: null(a personal-API-key opt-in) skips the expiry check.
The verify path is read-only by default; opt into touchLastUsed to record
usage as a fire-and-forget write. Revocation is immediate — a token removed
from the store (via delete/deleteBySubject) fails the very next call.
Parameters
| Parameter | Type |
|---|---|
options | AccessTokenVerifierOptions |
Returns
(token) => Promise<VerifiedAccessToken | null>
Example
// Issue: mint opaque, persist only the hash.
const { token, tokenHash } = generateApiToken({ prefix: 'myapp' });
await store.save({ tokenHash, subject, scopes, clientId, expiresAt });
// Verify (e.g. wired into an MCP/HTTP auth layer).
const verify = createAccessTokenVerifier({ store, touchLastUsed: true });
const identity = await verify(bearerToken); // VerifiedAccessToken | null