Skip to main content

Verify token

POST /v1/access-tokens/verify
Verify that an access token is valid for a specific site. 
curl -X POST https://xenarch.dev/v1/access-tokens/verify \
  -H "X-Site-Token: st_abc123..." \
  -H "Content-Type: application/json" \
  -d '{"token": "eyJhbGciOiJIUzI1NiJ9..."}'

{
  "valid": true
}

Token format

Access tokens are HMAC-SHA256 signed payloads: base64url(payload).base64url(signature). The payload contains:
  • gate_id — the gate this token was issued for
  • site_id — the site the gate belongs to
  • exp — expiration timestamp (default: 30 minutes after issuance)

Local verification

Publishers can verify tokens locally without calling the API. The Python SDK provides this: 
from xenarch.token import verify_access_token

result = verify_access_token(
    token="eyJhbGciOiJIUzI1NiJ9...",
    site_id="your-site-uuid",
    secret="your_access_token_secret",
)

if result:
    print(f"Valid — gate: {result['gate_id']}")
else:
    print("Invalid or expired")
The middleware (XenarchMiddleware and require_payment decorator) handles this automatically.