Skip to main content

Function: createAccessTokenVerifier()

createAccessTokenVerifier(options): (token) => Promise<VerifiedAccessToken | null>

Defined in: createAccessTokenVerifier.ts:61

Builds a verifier for opaque, server-stored access tokens on top of an AccessTokenStore. It hashes the presented bearer token, looks it up by hash, and enforces:

  • No plaintext — only the hash crosses the store boundary, so neither the verifier nor the database ever holds a usable token.
  • Default-deny — an unknown or expired token resolves to null without revealing whether it ever existed.
  • Expiry — a token past expiresAt is rejected; expiresAt: null (a personal-API-key opt-in) skips the expiry check.

The verify path is read-only by default; opt into touchLastUsed to record usage as a fire-and-forget write. Revocation is immediate — a token removed from the store (via delete/deleteBySubject) fails the very next call.

Parameters

ParameterType
optionsAccessTokenVerifierOptions

Returns

(token) => Promise<VerifiedAccessToken | null>

Example

// Issue: mint opaque, persist only the hash.
const { token, tokenHash } = generateApiToken({ prefix: 'myapp' });
await store.save({ tokenHash, subject, scopes, clientId, expiresAt });

// Verify (e.g. wired into an MCP/HTTP auth layer).
const verify = createAccessTokenVerifier({ store, touchLastUsed: true });
const identity = await verify(bearerToken); // VerifiedAccessToken | null