> ## Documentation Index
> Fetch the complete documentation index at: https://docs.xenarch.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Tokens

> Verify x402 access tokens issued after USDC payment — bearer token validation, expiration, and gate-scoped authorization for AI agents.

## Verify token

```
POST /v1/access-tokens/verify
```

Verify that an access token is valid for a specific site.

<RequestExample>
  ```bash theme={null}
  curl -X POST https://xenarch.dev/v1/access-tokens/verify \
    -H "X-Site-Token: st_abc123..." \
    -H "Content-Type: application/json" \
    -d '{"token": "eyJhbGciOiJIUzI1NiJ9..."}'
  ```
</RequestExample>

<ResponseExample>
  ```json 200 theme={null}
  {
    "valid": true
  }
  ```
</ResponseExample>

## Token format

Access tokens are HMAC-SHA256 signed payloads: `base64url(payload).base64url(signature)`.

The payload contains:

* `gate_id` — the gate this token was issued for
* `site_id` — the site the gate belongs to
* `exp` — expiration timestamp (default: 30 minutes after issuance)

## Local verification

Publishers can verify tokens locally without calling the API. The Python SDK provides this:

```python theme={null}
from xenarch.token import verify_access_token

result = verify_access_token(
    token="eyJhbGciOiJIUzI1NiJ9...",
    site_id="your-site-uuid",
    secret="your_access_token_secret",
)

if result:
    print(f"Valid — gate: {result['gate_id']}")
else:
    print("Invalid or expired")
```

The middleware (`XenarchMiddleware` and `require_payment` decorator) handles this automatically.
