Skip to content

Identity Package

The identity packages verify Caracal mandate JWTs. Use them when you are building a connector, transport, or custom resource-server boundary that accepts mandates directly.

EcosystemPackage
TypeScriptnpm install @caracalai/identity
Pythonpip install caracalai-identity
Gogo get github.com/garudex-labs/caracal/packages/identity/go

Node packages target Node >=22; Python packages require Python >=3.12.

OptionMeaning
issuer / IssuerExpected STS issuer.
audience / AudienceExpected audience for the mandate.
zoneId / expected_zone_id / ZoneIDZone claim check. When omitted, the verifier reads the unverified zone_id claim to select the zone keyset, then proves it through signature verification.
requiredScopes / required_scopes / RequiredScopesScopes every accepted mandate must contain.
requiredTargets / required_targets / RequiredTargetsTarget resources every accepted mandate must include.
requiredUse / required_use / RequiredUseToken use, usually resource.
requireAgent / require_agent / RequireAgentRequire agent-session claims.
requireDelegation / require_delegation / RequireDelegationRequire a delegation edge.
requireChainContains / require_chain_contains / RequireChainContainsRequire an application in the delegation chain.
maxHopCount / max_hop_count / MaxHopCountCap delegation chain depth.
import { verify } from "@caracalai/identity";
const claims = await verify(token, {
issuer: "https://sts.example.com",
audience: "https://api.example.com",
zoneId: "zone_prod",
requiredScopes: ["tickets:read"],
requiredTargets: ["https://api.example.com/tickets"],
});

STS signing keysets are zone-scoped: every fetch hits {issuer}/.well-known/jwks.json?zone_id={zone} and is cached per issuer and zone. TypeScript verifiers use an in-memory JWKS cache by default. Build a cache explicitly when a resource server wants shorter local-development TTLs, a custom fetch implementation, or warmup during service boot.

import { createJwksCache, verify } from "@caracalai/identity";
const jwksCache = createJwksCache({ ttlMs: 300_000, fetchTimeoutMs: 5_000 });
await jwksCache.warm("https://sts.example.com", "zone_prod");
const claims = await verify(token, {
issuer: "https://sts.example.com",
audience: "https://api.example.com",
zoneId: "zone_prod",
jwksCache,
});

Go and Python identity packages also cache issuer JWKS metadata in memory. Python exposes warm_jwks(issuer, zone_id) for service boot; Go callers can warm the cache with GetJWKSContext(ctx, issuer, zoneID).

ErrorMeaning
TokenInvalidErrorSignature, issuer, audience, expiry, use, or claim validation failed.
ZoneInvalidErrorThe token zone did not match the expected zone.
ScopeInsufficientErrorA required scope is missing.
AgentIdentityRequiredErrorThe verifier requires an agent identity.
DelegationRequiredErrorThe verifier requires delegated authority.
ChainMismatchErrorThe delegation chain is missing a required application.
HopCountExceededErrorThe mandate exceeds the configured hop limit.

Use MCP Auth Transport when you also need revocation checks, reusable verifier defaults, bearer-header parsing, and safe debugging hints. Use the identity package directly when you are composing your own verifier or connector boundary.