Grants & Sharing
How Literal uses time-limited, revocable grants for consent-based document access.
Grants are Literal’s consent-based access model. A document holder can give a recipient or organization time-limited access to a specific encrypted document, then revoke that access later.
The application server stores grant records and routes the workflow, but it does not receive document plaintext or plaintext grant relationships.
What Is A Grant?
A grant is an encrypted access package created by a document holder for a specific recipient. It wraps the document’s encryption key for that recipient and binds the access to an expiration time.
The server stores encrypted grant payloads and opaque routing tokens. A database read does not reveal the recipient, the shared document, or the grantor-grantee relationship.
Grant Lifecycle
1. Create
The document holder creates an encrypted grant payload that wraps document access for the intended recipient.
2. Discover
Recipients scan for grants using ambiguous view tags. The server can return possible matches, but only the intended recipient can decrypt the real grant.
3. Claim
The recipient proves they can open the grant and submits a per-grant claim token.
4. Accept Or Deny
The document holder approves or rejects the claim.
5. Use
An active grant lets the recipient decrypt the document and, when allowed, add scoped search tokens.
6. Revoke Or Expire
Access can be revoked by the document holder, self-revoked by the recipient, or expired automatically.
Each claimed grant uses a per-grant claim token so revocation and cleanup can be scoped to that grant without relying on plaintext recipient identity.
See Grants Guide for the full state machine, status enum, claim-token design, and automatic-expiry behavior.
What The Application Server Sees
| The application server can see | It does not receive |
|---|---|
| An encrypted grant payload exists | The document plaintext |
| Ambiguous view tags | The plaintext recipient identity |
| Opaque claim tokens | The plaintext grantor-grantee relationship |
| Grant status and expiration time | The plaintext document relationship |
| Token equality and lifecycle transitions | The contents of the encrypted grant payload |
Sharing Between Document Holders And Organizations
A common KYC flow involves a document holder and an organization that needs to verify identity or eligibility.
- The organization requests access outside or inside the workflow.
- The document holder creates a grant for the requested document.
- The organization discovers and claims the grant.
- The document holder approves the claim.
- The organization verifies the document during the active grant window.
- Access expires or is revoked when no longer needed.
Control Boundaries
- Document holders decide which documents to share, with whom, and for how long.
- Organizations can verify authorized documents without receiving unrestricted access to a user’s broader document set.
- Literal’s application layer coordinates the exchange without receiving document plaintext or plaintext grant relationships.
Targeted grants require the recipient to prove possession of the expected key material before the grant can be claimed. This prevents another party from claiming a grant just because they discover it.
Related Concepts
- Zero-Knowledge Model — the trust-boundary foundation grants live inside.
- Document Lifecycle — how a document moves from upload through processing to becoming shareable.
- Key Hierarchy — the keys that wrap document access along a grant path.
- Encrypted Search — how shared documents become searchable for the recipient.
- Entities & Memberships — how organizations manage members and share documents at the group level.
- Blind Routing — how sensitive relationships are tokenized to prevent relationship mapping.
Last updated on