Token type: CAP+JWT
A Vane Agent Passport is a standard JWT with typ: "CAP+JWT". The type string is distinct from SVID tokens (typ: "JWT") to prevent replay attacks across token types.
Any JWT library that supports EdDSA can parse a CAP+JWT. The Vane-specific logic is entirely in the counsel claim object and the scope matching rules.
Header
Payload claims
Standard JWT claims (RFC 7519)
Vane-specific claims
All Vane-specific claims are namespaced under thecounsel object to avoid collision with JWT extensions.
Scope format
Scopes usecategory:name format. Matching is evaluated left-to-right against the scopes array:
Standard scope categories:
Verification steps
Verification is performed in this order. A failure at any step terminates verification immediately.Error codes
PASSPORT_REVOKED is only returned by server-side verification (POST /v1/passport/verify). Offline verification via @vane.build/mcp-middleware does not check revocation — use GET /v1/ocsp/:jti for that.
AttestationReceipt
Every successful verification produces an AttestationReceipt. This is not a signature — it is a transparency record produced by the verifier. It can be logged and stored independently of the passport.