Files
arnes/spec/sdd/components/token-service.md
rikrdo 3ff9b70e4c refactor: complete bootstrap of ARNES agent harness framework
- Add complete agent harness structure with 8 roles (leader, triager, architect, implementer, reviewer, security, qa, documenter)
- Implement strict workflow with 9 stages and mandatory gates
- Add comprehensive verification script and runtime status tracking
- Create artifact-based evidence system with contracts and schemas
- Add agent policy matrix with permissions and anti-cheat rules
- Include test suite (44 tests passing) and CI-ready structure
- Add documentation: README, HOWTO, CHECKPOINTS, templates
- Configure model routing policies and token-aware task assignment
- Add BDD/SDD specification guides and feature templates
- Include starter pack for quick project onboarding

All verification checks pass. Framework ready for production use.
2026-05-17 23:25:35 +02:00

1.4 KiB

TokenService Component

Purpose

Generate, validate, and manage JWT tokens.

Public API

Methods

create_access_token(user: User) -> str

Generate a new JWT access token.

Parameters:

  • user: User object with id, email, role

Returns: JWT token string

Token claims:

{
  "sub": user.id,
  "email": user.email,
  "role": user.role,
  "iat": current_timestamp,
  "exp": current_timestamp + 900,  # 15 min
  "jti": uuid4()
}

create_refresh_token(user: User) -> str

Generate a new refresh token.

Returns: JWT refresh token (7 day expiration)

verify_token(token: str) -> TokenPayload

Validate and decode a JWT token.

Parameters:

  • token: JWT token string

Returns: TokenPayload with claims

Raises:

  • ExpiredSignatureError: Token expired
  • InvalidTokenError: Token invalid/malformed

revoke_token(token_id: str, user_id: str) -> bool

Mark a token as revoked in session store.

Parameters:

  • token_id: JWT jti claim
  • user_id: User ID

Returns: True if revoked


Configuration

ACCESS_TOKEN_EXPIRE = 900  # 15 minutes
REFRESH_TOKEN_EXPIRE = 604800  # 7 days
ALGORITHM = "HS256"  # or RS256 with key pair
SECRET_KEY = os.getenv("JWT_SECRET")

Security

  • Tokens include unique jti claim for revocation tracking
  • Short access token duration minimizes theft window
  • Refresh tokens stored in Redis for fast revocation