- Simple online verification: the easiest way is to use the public POST /v1/verify endpoint. Any of your services can call this with the agent's credential. It's a stateless check that returns a JSON object confirming if the token is valid and crucially what scopes and user_identifier it was issued for.
- Decentralized/offline verification: for more advanced use cases or high-throughput services that want to avoid a network call you can also verify the credentials offline. The tokens are standard JWTs signed with RS256, and I expose the public keys via a standard /.well-known/jwks.json endpoint on the main domain. You can fetch the keys, cache them and then verify the token signatures locally.
The goal is to make it easy for a developer to get started with the online endpoint, while still providing the standard, scalable method for more mature systems. Thanks for checking it out!
