Fluid Framework token primitives · Gleam
signet is the shared implementation of Fluid document-token handling — HS256 minting, constant-time verification, and strict claim validation. One codebase your whole stack signs against, instead of three copies drifting apart.
The same Fluid document token was minted and verified in three places — each stack carrying its own subtly different code, free to drift. signet is the single implementation they now share, consolidated perLevee ADR-007.
spillway/jwtfloodgate/authlevee_auth/tokenThree movements, kept deliberately separate. Sign a token; check its signature in constant time; then check the claims against the request — in the order the spec requires.
Build a strict HS256 token with typed scopes and a random jti.
mint_token(tenant, doc, scopes, user, secret, now, ttl)Constant-time HMAC check, then parse the payload into TokenClaims.
verify_signature(token, secret) -> Result(TokenClaims, _)Expiry → tenant → document → scope. Errors carry their own HTTP code.
validate_write_access(claims, tenant, doc, now)import signet/jwt
import signet/types.{DocWrite}
pub fn authorize(token, secret, tenant, doc, now) {
case jwt.verify_signature(token, secret) {
Ok(claims) -> jwt.validate_write_access(claims, tenant, doc, now)
Error(_) -> Error(jwt.MissingClaim("signature"))
}
}A real signet token, minted and verified in your browser with the Web Crypto API — the same HS256, the same strict validation order, the same error messages. Change a scope, tamper with the payload, expire it, and watch validation respond.
signet isn't on Hex. You pin a commit in gleam.toml, so mint and verify stay byte-for-byte reproducible across every stack that depends on it.
[dependencies]
signet = { git = "https://github.com/tylerbutler/signet.git", ref = "6ea697d3d1d6…" }