Sep45Auth
Represents a parsed SEP-45 authentication token (JWT).
This class parses JWT tokens returned from Stellar SEP-45 authentication endpoints and exposes standard JWT claims and SEP-45 specific claims. It performs lenient parsing: if the JWT is malformed, it returns a Sep45AuthToken with only the raw token string populated, allowing graceful degradation in applications.
Standard JWT Claims (RFC 7519)
issuer: Issuer (iss) - the authentication server's domain
account: Subject (sub) - the authenticated contract account ID (C... address)
issuedAt: Issued At (iat) - Unix timestamp when token was created
expiresAt: Expiration Time (exp) - Unix timestamp when token expires
SEP-45 Specific Claims
clientDomain: Client domain for domain-signed authentication
Differences from SEP-10 AuthToken
account is always a contract address (C...) instead of G.../M... addresses
No memo support (contract accounts don't use memos)
No jti claim (not required by SEP-45)
Security Considerations
This parser does NOT verify JWT signatures (per SEP-45 spec)
SEP-45 clients receive signed tokens over HTTPS and use them as bearer tokens
Signature verification is the server's responsibility
Always validate token expiry using isExpired before use
Example Usage
// Parse token
val authToken = Sep45AuthToken.parse(jwtString)
// Check expiry
if (authToken.isExpired()) {
println("Token expired at epoch ${authToken.expiresAt}")
return
}
// Access claims
val contractId = authToken.account // "CCONTRACT..."
println("Authenticated by: ${authToken.issuer}")
// Use token in API calls (SEP-24, SEP-31, SEP-6, etc.)
val apiResponse = httpClient.get(endpoint) {
headers {
append("Authorization", "Bearer $authToken") // Uses toString()
}
}Graceful Error Handling
If parsing fails (malformed JWT), a Sep45AuthToken is returned with:
token: The original JWT string (preserved)
All other properties: defaults (empty strings, 0 for timestamps)
This allows applications to decide how to handle invalid tokens.