Fluid Framework token primitives · Gleam

One seal for every Fluid document token.

signet is the shared implementation of Fluid document-token handling — HS256 minting, constant-time verification, and strict claim validation. One codebase your whole stack signs against, instead of three copies drifting apart.

Pure Gleam · no FFI · gleam_crypto HMAC-SHA256

Three copies. One seal.

The same Fluid document token was minted and verified in three places — each stack carrying its own subtly different code, free to drift. signet is the single implementation they now share, consolidated perLevee ADR-007.

  • spillway/jwt
  • floodgate/auth
  • levee_auth/token
signetone codebase

Mint, verify, validate.

Three movements, kept deliberately separate. Sign a token; check its signature in constant time; then check the claims against the request — in the order the spec requires.

  1. 01

    Mint

    Build a strict HS256 token with typed scopes and a random jti.

    mint_token(tenant, doc, scopes, user, secret, now, ttl)
  2. 02

    Verify

    Constant-time HMAC check, then parse the payload into TokenClaims.

    verify_signature(token, secret) -> Result(TokenClaims, _)
  3. 03

    Validate

    Expiry → tenant → document → scope. Errors carry their own HTTP code.

    validate_write_access(claims, tenant, doc, now)
authorize.gleam
import signet/jwt
import signet/types.{DocWrite}

pub fn authorize(token, secret, tenant, doc, now) {
  case jwt.verify_signature(token, secret) {
    Ok(claims) -> jwt.validate_write_access(claims, tenant, doc, now)
    Error(_) -> Error(jwt.MissingClaim("signature"))
  }
}

Press the seal yourself.

A real signet token, minted and verified in your browser with the Web Crypto API — the same HS256, the same strict validation order, the same error messages. Change a scope, tamper with the payload, expire it, and watch validation respond.

01

Mint

Sign a document token with a secret.

Scopes
02

Verify & validate

Check the signature, then the claims.

Required access
Break it:
signet tokenheader·payload·signature

Add it by commit.

signet isn't on Hex. You pin a commit in gleam.toml, so mint and verify stay byte-for-byte reproducible across every stack that depends on it.

Read the quickstart
gleam.toml
[dependencies]
signet = { git = "https://github.com/tylerbutler/signet.git", ref = "6ea697d3d1d6…" }