# `Attesto.AuthorizationCode.Grant`
[🔗](https://github.com/XukuLLC/attesto/blob/v0.13.0/lib/attesto/authorization_code/grant.ex#L1)

The validated context a successfully redeemed authorization code yields.

`Attesto.AuthorizationCode.redeem/4` returns this struct once the code's
expiry, redirect URI, PKCE verifier, and DPoP binding have all checked
out. The host reads it to mint the access token (and, if it issues one,
the refresh token): `subject` and `scope` become the token's `sub` and
`scope`, `dpop_jkt` (when present) becomes the access token's `cnf.jkt`,
and `claims` carries any host context that rode along from the
authorization request.

## `family_id`

When the authorization request supplied a `:family_id` to
`Attesto.AuthorizationCode.issue/3`, it rides through to this struct so
the host can mint the refresh-token family with that id. Linking the
code to the family it spawns is what lets code-reuse detection revoke the
right descendants (OAuth 2.0 Security BCP §4.13): a store that tracks
reuse records this `family_id` at redemption and replays it if the code
is presented again. `nil` when no family id was supplied.

# `t`

```elixir
@type t() :: %Attesto.AuthorizationCode.Grant{
  claims: map(),
  client_id: String.t(),
  dpop_jkt: String.t() | nil,
  family_id: String.t() | nil,
  redirect_uri: String.t(),
  resource: [String.t()],
  scope: [String.t()],
  subject: String.t()
}
```

---

*Consult [api-reference.md](api-reference.md) for complete listing*