Offline Verification

SilentAuth permits are RS256-signed JWTs. You can verify them using your project's RSA public key without any network request to the SilentAuth API — ideal for air-gapped environments, edge runtimes, or high-throughput pipelines where API latency is unacceptable.

Download Your Public Key

Retrieve the SPKI-formatted RSA public key for your project:

curl -H "Authorization: Bearer sk_live_xxx" \
  https://api.silentauth.io/v1/projects/{projectId}/public-key

# Returns:
{
  "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQ...\n-----END PUBLIC KEY-----",
  "algorithm": "RS256",
  "key_id": "key_abc123"
}

Store this key in an environment variable or file. It rotates infrequently — you can re-fetch it on startup and cache it for hours or days.

Verify Without Network (Node.js)

import * as jose from 'jose';

const PUBLIC_KEY = process.env.SA_PUBLIC_KEY; // PEM string

const publicKey = await jose.importSPKI(PUBLIC_KEY, 'RS256');

async function verifyPermitOffline(token: string) {
  const { payload } = await jose.jwtVerify(token, publicKey, {
    issuer:   'https://api.silentauth.io',
    audience: process.env.SA_PROJECT_ID,
  });

  // Check expiry (jose does this automatically)
  // payload.act   = action name
  // payload.prms  = parameters
  // payload.apv   = approver email

  return payload;
}

Python (PyJWT)

import jwt
import os

public_key = os.environ['SA_PUBLIC_KEY']

def verify_permit_offline(token: str) -> dict:
    return jwt.decode(
        token,
        public_key,
        algorithms=['RS256'],
        issuer='https://api.silentauth.io',
        audience=os.environ['SA_PROJECT_ID'],
    )