Skip to main content

Token type: CAP+JWT

A Vane Agent Passport is a standard JWT with typ: "CAP+JWT". The type string is distinct from SVID tokens (typ: "JWT") to prevent replay attacks across token types. Any JWT library that supports EdDSA can parse a CAP+JWT. The Vane-specific logic is entirely in the counsel claim object and the scope matching rules.

Payload claims

Standard JWT claims (RFC 7519)

Vane-specific claims

All Vane-specific claims are namespaced under the counsel object to avoid collision with JWT extensions.

Scope format

Scopes use category:name format. Matching is evaluated left-to-right against the scopes array: Standard scope categories:

Verification steps

Verification is performed in this order. A failure at any step terminates verification immediately.

Error codes

PASSPORT_REVOKED is only returned by server-side verification (POST /v1/passport/verify). Offline verification via @vane.build/mcp-middleware does not check revocation — use GET /v1/ocsp/:jti for that.

AttestationReceipt

Every successful verification produces an AttestationReceipt. This is not a signature — it is a transparency record produced by the verifier. It can be logged and stored independently of the passport.