# Capability Tokens

Short-lived JWTs that prove a tool call was authorized. Provides replay protection via nonce validation.

Token Properties

30-Second TTL

Expires quickly to minimize attack window

Single Use

Nonce tracking prevents replay

HMAC-SHA256

Cryptographically signed

Token Verification

typescript

1// Get token from validation
2const result = await api.validate('file_read', { path: '/data/file.txt' });
3const { token } = result;
4
5// Verify the token (single use)
6const verification = await api.tokens.verify(token);
7
8if (verification.valid) {
9  console.log('Tool:', verification.tool);
10  console.log('Scope:', verification.scope);
11  // Execute the tool
12} else {
13  console.error('Invalid:', verification.error);
14  // Errors: "Token expired", "Token already used", "Invalid signature"
15}

Local Token Issuer

typescript

1import { TokenIssuer } from '@solongate/sdk';
2
3const issuer = new TokenIssuer({
4  secret: process.env.TOKEN_SECRET!,
5  ttlSeconds: 30,  // Default: 30 seconds
6});
7
8// Issue a token
9const token = issuer.issue({
10  tool: 'file_read',
11  arguments: { path: '/data/file.txt' },
12  scope: ['read'],
13});
14
15// Verify a token
16const result = issuer.verify(token);
17if (result.valid) {
18  console.log('Token payload:', result.payload);
19}

Token Structure

json

1// JWT Payload
2{
3  "tool": "file_read",
4  "args_hash": "sha256:abc123...",  // Hash of arguments
5  "scope": ["read"],
6  "nonce": "unique-nonce-id",
7  "iat": 1705312200,  // Issued at
8  "exp": 1705312230   // Expires at (30s later)
9}

Policies Rate Limiting