2. Base token
The token is self-contained: rights, cryptographic signature, and revocation ID are all embedded
3. Attenuate
Offline-capable — attenuation only requires the token itself, no private key. You can only remove permissions, never add.
Write your own Datalog check — try with a wrong IP:
4. Attenuated token
A new block is appended, cryptographically linked to the original — the token grows but stays self-contained
5. Revoke
Each token has a unique revocation ID. The server can blacklist it to instantly reject
this specific token — without invalidating others issued by the same authority.
4. Try it
The server verifies the token offline — only the public key is needed, no database or auth server call