{ "$id": "https://glide.co/schemas/agent-banking/draft/grant.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "Grant", "description": "Alias of ScopedGrantClaims — the bearer-grant payload as it lands at /mcp/* tools. Use this when you want the wire-shape name; use ScopedGrantClaims when you want the JWT-claims-emphasis name. The shape is identical and tracked via $ref to keep them in lockstep.", "channel": "v1", "examples": [ { "iss": "https://glide.co", "sub": "11111111-1111-4111-8111-111111111111", "act": { "sub": "22222222-2222-4222-8222-222222222222" }, "azp": "claude-desktop-prod", "aud": { "vault_id": "33333333-3333-4333-8333-333333333333", "entity_id": "44444444-4444-4444-8444-444444444444" }, "scope": ["payments:initiate"], "policy_version": 1, "iat": 1745539200, "nbf": 1745539200, "exp": 1745542800, "jti": "55555555-5555-4555-8555-555555555555" } ], "schema": { "$schema": "https://json-schema.org/draft/2020-12/schema", "type": "object", "properties": { "iss": { "type": "string", "format": "uri", "pattern": "^https://[^\\s]+$", "maxLength": 256, "description": "RFC 7519 §4.1.1 issuer. Identifier of Glide's authorization server. Optional at v1 for backward compat with the original /draft/ shape; SHOULD be set on newly-issued grants." }, "sub": { "$ref": "_types.json#/$defs/uuidV4", "description": "RFC 7519 §4.1.2 subject — the human principal who owns the vault." }, "act": { "type": "object", "description": "Actor claim (RFC 8693 §4.1) — the agent acting on behalf of `sub`.", "properties": { "sub": { "$ref": "_types.json#/$defs/uuidV4", "description": "agent_principal_id — the synthetic principal representing the agent." } }, "required": ["sub"], "additionalProperties": false }, "azp": { "type": "string", "minLength": 1, "maxLength": 128, "pattern": "^[a-zA-Z0-9][a-zA-Z0-9._:\\-]*$", "description": "RFC 7519 §4.1.3 / OIDC §2 authorized party — the registered MCP client. Identifier format: alphanumeric plus `._:-`." }, "aud": { "type": "object", "description": "RFC 8707 resource indicator — both vault_id AND entity_id must match the resource being acted on. Object form (non-standard RFC 7519); verifiers MUST check both fields.", "properties": { "vault_id": { "$ref": "_types.json#/$defs/uuidV4", "description": "Vault this grant scopes to." }, "entity_id": { "$ref": "_types.json#/$defs/uuidV4", "description": "Entity (tenant) the vault belongs to." } }, "required": ["vault_id", "entity_id"], "additionalProperties": false }, "scope": { "type": "array", "minItems": 1, "uniqueItems": true, "description": "RFC 6749 §3.3 scope set. Closed vocabulary; see _types.json#/$defs/agentScope.", "items": { "$ref": "_types.json#/$defs/agentScope" } }, "resource": { "type": "array", "uniqueItems": true, "minItems": 1, "maxItems": 8, "description": "RFC 8707 resource indicators in canonical https URI form. Optional at v1; new code MAY emit this for OAuth-tooling compatibility.", "items": { "type": "string", "format": "uri", "pattern": "^https://[^\\s#]+$", "maxLength": 512 } }, "policy_version": { "$ref": "_types.json#/$defs/nonNegativeInt", "description": "Policy version at issuance. Verifier re-checks against current (vault_id, policy_version)." }, "iat": { "$ref": "_types.json#/$defs/unixSecondsPositive", "description": "RFC 7519 §4.1.6 issued-at. Unix epoch seconds. MUST be <= nbf <= exp." }, "nbf": { "$ref": "_types.json#/$defs/unixSecondsPositive", "description": "RFC 7519 §4.1.5 not-before. Unix epoch seconds." }, "exp": { "$ref": "_types.json#/$defs/unixSecondsPositive", "description": "RFC 7519 §4.1.4 expiry. Unix epoch seconds. MUST satisfy exp - iat <= 3600 (60-minute TTL cap, server-enforced)." }, "jti": { "$ref": "_types.json#/$defs/uuidV4", "description": "RFC 7519 §4.1.7 JWT ID. Equals the grant row's primary key; used for revocation lookup." } }, "required": [ "sub", "act", "azp", "aud", "scope", "policy_version", "iat", "nbf", "exp", "jti" ], "additionalProperties": false } }