@glideco/grant-wrapper on every tool invocation per the F3 IRON RULE.
Canonical URL
https://glide.co/schemas/agent-banking/v1/grant.json (alias of scoped-grant-claims).
Required claims
| Claim | Type | Meaning |
|---|---|---|
sub | string | Principal user ID (the human). |
act.sub | string | Agent principal ID (the acting agent). |
azp | string | Authorized party — the registered MCP client_id. |
aud.vault_id | string | Scoped resource vault (RFC 8707 resource indicator). |
aud.entity_id | string | Scoped resource entity. |
scope | string (space-separated) | Closed-vocab SkillScope set. |
policy_version | number | Envelope version at grant issue time. F5 mismatch detection. |
iat | number | Issued at (epoch seconds). |
nbf | number | Not before (epoch seconds). |
exp | number | Expiry (epoch seconds). Max TTL: 3600 (60 minutes). |
jti | string | Server-side grant ID for revocation. |
Validation contract
@glideco/grant-wrapper re-validates every grant on every tool invocation:
- JWT signature — verified against the AS’s JWKS.
expnot in past — bearer expiry.exp - iat ≤ 3600— max TTL enforcement.aud.vault_idpresent + matches the resource indicator on the request — RFC 8707 enforcement.act.subcorresponds to a registered agent — DB lookup.- F3 IRON RULE — fresh-read tenant verification. Re-reads the principal’s tenant from DB. Cached grant alone NEVER authorizes.
policy_versionmatches the current envelope — mismatch raisesPolicyStaleError(F5).
Step-up extension
When the requested tool action exceeds the envelope’sstep_up_threshold_usd_cents, the gateway returns JSON-RPC -32003 with a step_up_url. The principal completes biometric approval; the gateway issues a step_up_sigil (single-use, F7); the agent retries with the sigil.
Example
Reading list
- OAuth flow — RFC 7591 + 8707 + PKCE walkthrough.
- AgentPolicyEnvelope — what
policy_versionreferences. - Money-safety contracts — F3 + F5.