## NUC Token Delegation and Subscription Management Tutorial

This notebook demonstrates the process of interacting with the NilAuth service to manage subscriptions and prepare for NUC token operations.

**Steps:**

1.  **Import Libraries:** Import necessary classes and functions from `nuc`, `cosmpy`, `secp256k1`, and standard Python libraries.
2.  **Load Keys:** Define functions to load or generate the Nilchain wallet (`cosmpy`) private key and the NilAuth (`secp256k1`) private key. These keys are currently hardcoded for demonstration purposes. **Note:** Hardcoding keys is insecure for production environments.
3.  **Initialize Keys and Wallet:** Call the functions to get the `NilAuthPrivateKey` (`builder_private_key`) and the `cosmpy` wallet and keypair. Print the wallet address.
4.  **Configure Nilchain Connection:** Set up the `NetworkConfig` for connecting to the Nillion devnet.
5.  **Connect to Ledger:** Create a `LedgerClient` instance using the network configuration.
6.  **Query Balance:** Check and print the `unil` balance of the initialized wallet on the Nillion Chain.
7.  **Initialize NilAuth Client:** Create a `NilauthClient` instance, connecting to the local NilAuth service endpoint.
8.  **Initialize Payer:** Create a `Payer` object, configuring it with the Nilchain wallet, chain details, and gRPC endpoint. This object will be used to pay for transactions like subscriptions.
9.  **Check Subscription Status:** Use the `NilauthClient` and the builder's private key to check the current subscription status associated with the key.
10. **Pay for Subscription (if necessary):**
    *   If the key is not currently subscribed, use the `nilauth_client.pay_subscription` method along with the `Payer` object to pay for a new subscription on the Nillion Chain.
    *   If already subscribed, print the time remaining until expiration and renewal availability.

In [1]:
# %% Import necessary libraries
from nuc.payer import Payer
from nuc.builder import NucTokenBuilder
from nuc.nilauth import NilauthClient, BlindModule
from nuc.envelope import NucTokenEnvelope
from nuc.token import Command, Did, InvocationBody, DelegationBody
from nuc.validate import (
    NucTokenValidator,
    ValidationParameters,
    InvocationRequirement,
    ValidationException,
)
from cosmpy.crypto.keypairs import PrivateKey as NilchainPrivateKey
from cosmpy.aerial.wallet import LocalWallet
from cosmpy.aerial.client import LedgerClient, NetworkConfig
from secp256k1 import PrivateKey as NilAuthPrivateKey
import base64
import datetime


# %% Define functions to load keys (replace with secure loading in production)
def get_wallet():
    """Loads the Nilchain wallet private key and creates a wallet object."""
    # IMPORTANT: Hardcoding private keys is insecure. Use environment variables or a secrets manager.
    keypair = NilchainPrivateKey("l/SYifzu2Iqc3dsWoWHRP2oSMHwrORY/PDw5fDwtJDQ=")
    print(f"Nilchain Private Key (bytes): {keypair.private_key}")
    print(f"Nilchain Public Key (bytes): {keypair.public_key}")
    wallet = LocalWallet(
        keypair, prefix="nillion"
    )  # Nillion uses the 'nillion' address prefix
    return wallet, keypair


def get_private_key():
    """Loads the NilAuth private key used for signing NUC tokens."""
    # IMPORTANT: Hardcoding private keys is insecure. Use environment variables or a secrets manager.
    private_key = NilAuthPrivateKey(
        base64.b64decode("l/SYifzu2Iqc3dsWoWHRP2oSMHwrORY/PDw5fDwtJDQ=")
    )
    return private_key


# %% Initialize keys and wallet
# This key will be used to sign NUC tokens later (e.g., the root token from NilAuth or delegated tokens)
builder_private_key = get_private_key()

# This wallet is used for interacting with the Nillion Chain (e.g., paying subscriptions)
wallet, keypair = get_wallet()
address = wallet.address()
print(f"Paying for wallet: {address}")

# %% Configure and connect to Nillion Chain
cfg = NetworkConfig(
    chain_id="nillion-chain-devnet",
    url="grpc+http://localhost:26649",  # Nillion Chain gRPC endpoint
    fee_minimum_gas_price=1,
    fee_denomination="unil",  # The currency used for fees
    staking_denomination="unil",  # The currency used for staking
)
ledger_client = LedgerClient(cfg)

# %% Query wallet balance
balances = ledger_client.query_bank_balance(address, "unil")
print(f"Wallet balance: {balances} unil")

# %% Initialize NilAuth Client and Payer
print("[>] Creating nilauth client")
# Connect to the NilAuth service which issues root NUC tokens
nilauth_client = NilauthClient("http://localhost:30921")  # NilAuth service endpoint

print("[>] Creating payer")
# The Payer object bundles wallet details needed to pay for chain transactions
payer = Payer(
    wallet_private_key=keypair,
    chain_id="nillion-chain-devnet",
    grpc_endpoint="http://localhost:26649",  # Nillion Chain gRPC endpoint for the payer
    gas_limit=1000000000000,  # Gas limit for transactions
)

# %% Check and manage NilAuth subscription
# Check if the builder_private_key is associated with an active subscription
subscription_details = nilauth_client.subscription_status(
    builder_private_key.pubkey, BlindModule.NILAI
)
print(f"IS SUBSCRIBED: {subscription_details.subscribed}")

# If not subscribed, pay for one
if not subscription_details.subscribed:
    print("[>] Paying for subscription")
    nilauth_client.pay_subscription(
        pubkey=builder_private_key.pubkey,  # The key to associate the subscription with
        payer=payer,  # The payer object to execute the transaction
        blind_module=BlindModule.NILAI,
    )
else:
    # If already subscribed, print details
    print("[>] Subscription is already paid for")
    now = datetime.datetime.now(datetime.timezone.utc)
    print(f"EXPIRES IN: {subscription_details.details.expires_at - now}")
    # Note: Renewal might only be possible within a certain window before expiry
    print(f"CAN BE RENEWED IN: {subscription_details.details.renewable_at - now}")

Nilchain Private Key (bytes): l/SYifzu2Iqc3dsWoWHRP2oSMHwrORY/PDw5fDwtJDQ=
Nilchain Public Key (bytes): <cosmpy.crypto.keypairs.PublicKey object at 0x109efb920>
Paying for wallet: nillion1mqukqr7d4s3eqhcxwctu7yypm560etp2dghpy6
Wallet balance: 999999996000000 unil
[>] Creating nilauth client
[>] Creating payer
IS SUBSCRIBED: False
[>] Paying for subscription


## Requesting and Preparing NUC Tokens

This section focuses on obtaining the initial NUC token (the "root" token) from NilAuth and preparing for delegation by generating a new key pair.

**Steps:**

1.  **Request Root Token:** Use the `nilauth_client` (initialized earlier) and the `builder_private_key` (which has an active subscription) to request a root NUC token from the NilAuth service. This token grants the initial set of permissions associated with the `builder_private_key`.
2.  **Print Root Token:** Display the raw, encoded string representation of the obtained root token.
3.  **Display Builder Keys:** Print the raw private key bytes and the hex-encoded public key of the `builder_private_key` for reference. This is the key that *owns* the root token.
4.  **Generate Delegated Key Pair:** Create a completely *new* `NilAuthPrivateKey` instance. This key pair (`delegated_key` and its corresponding public key) will represent the entity *receiving* delegated permissions from the root token.
5.  **Display Delegated Keys:** Print the raw private key bytes and the hex-encoded public key of the newly generated `delegated_key`.
6.  **Parse Root Token:** Convert the raw `root_token` string into a structured `NucTokenEnvelope` object using `NucTokenEnvelope.parse()`. This allows programmatic access to the token's claims and structure.
7.  **Print Parsed Envelope:** Display the `NucTokenEnvelope` object, showing its parsed structure.

In [2]:
# %% Request Root Token from NilAuth
# Use the key associated with the subscription to request the base NUC token
root_token = nilauth_client.request_token(
    key=builder_private_key, blind_module=BlindModule.NILAI
)
print(f"Root Token (raw string): {root_token}")

# %% Display Builder Key Details (Owner of Root Token)
print(f"Builder Private Key (bytes): {builder_private_key.serialize()}")
print(f"Builder Public Key (hex): {builder_private_key.pubkey.serialize().hex()}")

# %% Generate a New Key Pair for Delegation Target
# This key pair will be the recipient of the delegated permissions
delegated_key = NilAuthPrivateKey()
print(f"Delegated Private Key (bytes): {delegated_key.serialize()}")
print(f"Delegated Public Key (hex): {delegated_key.pubkey.serialize().hex()}")

# %% Parse the Root Token String into an Object
# Parsing allows easier access to token attributes and structure
root_token_envelope = NucTokenEnvelope.parse(root_token)
print(f"Root Token Envelope (parsed object): {root_token_envelope}")

Root Token (raw string): eyJhbGciOiJFUzI1NksifQ.eyJpc3MiOiJkaWQ6bmlsOjAzNTIwZTcwYmQ5N2E1ZmE2ZDcwYzYxNGQ1MGVlNDdiZjQ0NWFlMGIwOTQxYTFkNjFkZGQ1YWZhMDIyYjk3YWIxNCIsImF1ZCI6ImRpZDpuaWw6MDMwOTIzZjJlNzEyMGM1MGU0MjkwNWI4NTdkZGQyOTQ3ZjZlY2NlZDZiYjAyYWFiNjRlNjNiMjhlOWUyZTA2ZDEwIiwic3ViIjoiZGlkOm5pbDowMzA5MjNmMmU3MTIwYzUwZTQyOTA1Yjg1N2RkZDI5NDdmNmVjY2VkNmJiMDJhYWI2NGU2M2IyOGU5ZTJlMDZkMTAiLCJleHAiOjE3NDk3MjgxNDksImNtZCI6Ii9uaWwvYWkiLCJwb2wiOltdLCJub25jZSI6IjYzNDc1YzkyZjE3ZTZlMjgwMWRkZGNlYzFjYjcwNmFlIiwicHJmIjpbXX0.oKd_heCtzZr6sh-q8fqZOXL3rsxvy1gROugUMIEefRJXyBhtSA4YWrK9xHQlprCHIF0dlWSGN_y68D3Fi1OU4g
Builder Private Key (bytes): 97f49889fceed88a9cdddb16a161d13f6a12307c2b39163f3c3c397c3c2d2434
Builder Public Key (hex): 030923f2e7120c50e42905b857ddd2947f6ecced6bb02aab64e63b28e9e2e06d10
Delegated Private Key (bytes): a3c69fe94746509d4b44d213b582e72f3e891568cd8004725ada12d4b139db8a
Delegated Public Key (hex): 03dda3f7bba93edddf6659660e69f14653cdb8c56b8a7253a22d914ac3cfffc6aa
Root Token Envelope (parsed

## Creating a Delegated NUC Token

Now that we have the root token and a key pair for the intended recipient, we create a new NUC token that delegates specific permissions from the root token holder (`builder_private_key`) to the recipient (`delegated_key`).

**Steps:**

1.  **Initialize Builder:** Start building a new token using `NucTokenBuilder.extending()`, passing the previously parsed `root_token_envelope`. This signifies that the new token derives its authority from the root token.
2.  **Set Body (Delegation):** Specify the token's body using `.body()`. Here, `DelegationBody(policies=[])` indicates this is a delegation token. Policies could further restrict the delegation, but none are added in this example.
3.  **Set Audience:** Define the recipient of this delegated token using `.audience()`. We pass a `Did` (Decentralized Identifier) object created from the *public key* of the `delegated_key` generated in the previous step. This means only the holder of `delegated_key`'s private key can use this token effectively for further actions (like creating an invocation).
4.  **Specify Command:** Grant permission to execute a specific command using `.command()`. Here, `Command(["nil", "ai", "generate"])` authorizes the audience (the holder of `delegated_key`) to perform the `nil ai generate` action. Multiple commands could be listed.
5.  **Build and Sign:** Finalize the token creation and sign it using `.build()`. Crucially, the signing key here is `builder_private_key` – the private key corresponding to the issuer of the *root* token, proving its authority to delegate.
6.  **Print Delegated Token:** Display the raw, encoded string representation of the newly created delegated token.
7.  **Parse Delegated Token:** Convert the raw `delegated_token` string into a structured `NucTokenEnvelope` object.
8.  **Print Parsed Envelope:** Display the `delegated_token_envelope` object to show its structure, including the specified audience and command.

In [3]:
# %% Create the Delegated Token
# Use the NucTokenBuilder to create a new token based on the root token
delegated_token = (
    NucTokenBuilder.extending(
        root_token_envelope
    )  # Start from the root token's authority
    .body(
        DelegationBody(policies=[])
    )  # Mark as a delegation token (no specific policies here)
    .audience(
        Did(delegated_key.pubkey.serialize())
    )  # Set the recipient to the delegated public key
    .command(
        Command(["nil", "ai", "generate"])
    )  # Authorize the 'nil ai generate' command
    .build(
        builder_private_key
    )  # Sign the delegation using the *root* token's private key
)

# Print the resulting delegated token string
print(f"Delegation Token (raw string): {delegated_token}")

# %% Parse the Delegated Token String into an Object
delegated_token_envelope = NucTokenEnvelope.parse(delegated_token)

# Print the parsed object to see its structure
print(f"Delegated Token Envelope (parsed object): {delegated_token_envelope}")

Delegation Token (raw string): eyJhbGciOiJFUzI1NksifQ.eyJpc3MiOiAiZGlkOm5pbDowMzA5MjNmMmU3MTIwYzUwZTQyOTA1Yjg1N2RkZDI5NDdmNmVjY2VkNmJiMDJhYWI2NGU2M2IyOGU5ZTJlMDZkMTAiLCAiYXVkIjogImRpZDpuaWw6MDNkZGEzZjdiYmE5M2VkZGRmNjY1OTY2MGU2OWYxNDY1M2NkYjhjNTZiOGE3MjUzYTIyZDkxNGFjM2NmZmZjNmFhIiwgInN1YiI6ICJkaWQ6bmlsOjAzMDkyM2YyZTcxMjBjNTBlNDI5MDViODU3ZGRkMjk0N2Y2ZWNjZWQ2YmIwMmFhYjY0ZTYzYjI4ZTllMmUwNmQxMCIsICJjbWQiOiAiL25pbC9haS9nZW5lcmF0ZSIsICJwb2wiOiBbXSwgIm5vbmNlIjogIjE4OTg4ODcxMjk2YTRmN2NkNTliYzgyNGNhNWY2NDc4IiwgInByZiI6IFsiNmRkNTlhYmU4Y2ZiMTJmYmQ1MzFiODdkMmIxYmIwYzY1N2NjMGNjMjgyYTIyMzAzMjk0MWE1ZWU2YmYzMzVhOSJdfQ.WfukyFvrLOQIs7sAYkrkg2BnhJKSLTYJGlPxxHl8nHg6s92_eyOZaKcXAgTlL59YL98FciIGkxpCRIxc6wFVUA/eyJhbGciOiJFUzI1NksifQ.eyJpc3MiOiJkaWQ6bmlsOjAzNTIwZTcwYmQ5N2E1ZmE2ZDcwYzYxNGQ1MGVlNDdiZjQ0NWFlMGIwOTQxYTFkNjFkZGQ1YWZhMDIyYjk3YWIxNCIsImF1ZCI6ImRpZDpuaWw6MDMwOTIzZjJlNzEyMGM1MGU0MjkwNWI4NTdkZGQyOTQ3ZjZlY2NlZDZiYjAyYWFiNjRlNjNiMjhlOWUyZTA2ZDEwIiwic3ViIjoiZGlkOm5pbDowMzA5MjNmMmU3MTIwYzUwZTQyOTA1Yjg1N2RkZ

## Creating an Invocation NUC Token

This final step creates the token that will actually be sent to the target service (e.g., Nilai API) to authorize a specific action. This is called an "invocation" token. It uses the permissions granted by the `delegated_token` and targets a specific service endpoint.

**Steps:**

1.  **Generate Placeholder Target Key:** Create a *new* `NilAuthPrivateKey` instance (`nilai_public_key`). **WARNING:** In a real application, you would **fetch the actual public key of the service you want to call** (e.g., from a discovery endpoint like `/v1/public_key` on the Nilai API) instead of generating a new one here. This generated key acts as a placeholder for the target service's identity in this example.
2.  **Display Placeholder Keys:** Print the details of this placeholder key pair.
3.  **Display Delegated Token:** Re-print the parsed `delegated_token_envelope` for context.
4.  **Initialize Invocation Builder:** Start building the invocation token using `NucTokenBuilder.extending()`, passing the `delegated_token_envelope`. This signifies the invocation derives its authority from the permissions granted in the delegation token.
5.  **Set Body (Invocation):** Specify the token's body using `.body()`. `InvocationBody(args={})` marks this as an invocation token. The `args` dictionary could contain specific parameters for the command being invoked, but it's empty here.
6.  **Set Audience (Target Service):** Define the intended recipient service using `.audience()`. We pass a `Did` created from the public key of the **placeholder** `nilai_public_key`. **Critically, in a real scenario, this MUST be the actual public key of the target service.** This ensures the token is only valid for that specific service instance.
7.  **Build and Sign:** Finalize the token creation and sign it using `.build()`. The signing key is `delegated_key` – the private key that *received* the permissions in the previous delegation step. This proves the caller is authorized by the delegation.
8.  **Print Invocation Token:** Display the raw, encoded string representation of the invocation token. This is the token you would typically send as an API key or Bearer token to the target service.

In [4]:
# %% Generate Placeholder Target Key (Replace with actual service key retrieval in practice)
# WARNING: This creates a random key. In a real scenario, fetch the target service's public key.
nilai_public_key = NilAuthPrivateKey()  # Placeholder for the target service's key

# Display the placeholder key details
print(f"Placeholder Target Private Key (bytes): {nilai_public_key.serialize()}")
print(
    f"Placeholder Target Public Key (hex): {nilai_public_key.pubkey.serialize().hex()}"
)

# Display the delegation token again for context
print(f"Delegated Token Envelope (used for invocation): {delegated_token_envelope}")

# %% Create the Invocation Token
# Use the NucTokenBuilder to create the token that calls the service
invocation = (
    NucTokenBuilder.extending(
        delegated_token_envelope
    )  # Start from the delegated token's authority
    .body(
        InvocationBody(args={})
    )  # Mark as an invocation token (no specific args here)
    .audience(
        Did(nilai_public_key.pubkey.serialize())
    )  # Set the target service (using placeholder key here)
    .build(delegated_key)  # Sign with the *delegated* private key
)

# Print the resulting invocation token string (this would be sent to the service)
print(f"Invocation Token (raw string): {invocation}")
print("--------------------------------")

Placeholder Target Private Key (bytes): 1366a4fb211fedaf9f35ed507caa5c1c69e7c12e05aac59004ee8af82c28f353
Placeholder Target Public Key (hex): 03557a9b7632c332967c9e49ef04b4eeee65f238a58e05123afd67c6440643ec45
Delegated Token Envelope (used for invocation): <nuc.envelope.NucTokenEnvelope object at 0x109db05c0>
Invocation Token (raw string): eyJhbGciOiJFUzI1NksifQ.eyJpc3MiOiAiZGlkOm5pbDowM2RkYTNmN2JiYTkzZWRkZGY2NjU5NjYwZTY5ZjE0NjUzY2RiOGM1NmI4YTcyNTNhMjJkOTE0YWMzY2ZmZmM2YWEiLCAiYXVkIjogImRpZDpuaWw6MDM1NTdhOWI3NjMyYzMzMjk2N2M5ZTQ5ZWYwNGI0ZWVlZTY1ZjIzOGE1OGUwNTEyM2FmZDY3YzY0NDA2NDNlYzQ1IiwgInN1YiI6ICJkaWQ6bmlsOjAzMDkyM2YyZTcxMjBjNTBlNDI5MDViODU3ZGRkMjk0N2Y2ZWNjZWQ2YmIwMmFhYjY0ZTYzYjI4ZTllMmUwNmQxMCIsICJjbWQiOiAiL25pbC9haS9nZW5lcmF0ZSIsICJhcmdzIjoge30sICJub25jZSI6ICJlY2I5ZmRlMDE1MDQyZTVlOWQ4YTAwNWIwN2EyMTUwOCIsICJwcmYiOiBbIjU1OTVhYmM3MjY4NTYzYjVjMWVkOWFjMzFmZmYwYmZkMzc0ZGY1ODE1YjI2OWZiOGUxMDg3OTllNzhkMWE1MDkiXX0.Z61s5nYqi_EJVWfl_VNHhw16oLELABuP1hhe4NIMr8JFGBk7fyvuToCFaWKGx6aBGR8wrLcLcC1qctZ

## Validating the NUC Token Chain

After creating the root, delegated, and invocation tokens, it's crucial to validate them to ensure they are correctly formed, properly signed, and that the chain of delegation is intact. Validation typically checks signatures, expiration times (if set), audience restrictions, and command permissions against a trusted root issuer (in this case, the NilAuth service).

**Steps:**

1.  **Get NilAuth Public Key:** Retrieve the public key of the NilAuth service itself using `nilauth_client.about().public_key.serialize()`. This key acts as the ultimate trust anchor for validating the token chain, as NilAuth issued the root token. Wrap it in a `Did` object.
2.  **Print NilAuth Public Key:** Display the retrieved NilAuth public key `Did`.
3.  **Parse Invocation Token:** Convert the raw `invocation` token string into a structured `NucTokenEnvelope` object.
4.  **Print Parsed Invocation Envelope:** Display the parsed invocation token object.
5.  **Print Proof Count:** Show the number of proofs (signatures) attached to the invocation envelope. An invocation token derived from a delegated token, which itself derived from a root token, should have multiple proofs forming a chain back to the root issuer.
6.  **Initialize Validator:** Create instances of `NucTokenValidator`. The validator needs a list of trusted root public keys. Here, we only trust the `nilauth_public_key`.
7.  **Validate Delegated Token:** Call `validator.validate()` on the `delegated_token_envelope`. This checks if it's correctly signed by the `builder_private_key` (whose authority ultimately comes from NilAuth) and if its structure is valid. (Note: The root token validation is commented out but would follow the same principle).
8.  **Prepare Invocation Validation Parameters:** Create `ValidationParameters` specifically for the invocation token.
    *   Set `token_requirements` to an `InvocationRequirement`.
    *   Crucially, set the `audience` within the `InvocationRequirement` to the **expected audience** (the placeholder `nilai_public_key.pubkey`'s `Did` in this example, but should be the actual target service's `Did` in practice). This tells the validator to specifically check if the token was intended for this recipient.
9.  **Validate Invocation Token:** Call `validator.validate()` on the `invocation_envelope` using the specific `validation_parameters`. This checks:
    *   The signature (must be signed by `delegated_key`).
    *   The chain of proofs back to the trusted `nilauth_public_key`.
    *   The audience matches the one specified in `validation_parameters`.
    *   Expiration, command permissions (implicitly checked based on delegation chain).

In [6]:
# %% Get the Public Key of the Root Issuer (NilAuth)
# The NilAuth service's public key is the ultimate trust anchor
nilauth_public_key = Did(nilauth_client.about().public_key.serialize())
print(f"Nilauth Public Key (Trust Anchor): {nilauth_public_key}")

# %% Parse the Invocation Token String into an Object
invocation_envelope = NucTokenEnvelope.parse(invocation)
print(f"Invocation Envelope (parsed object): {invocation_envelope}")

# An invocation token derived from a delegated token should have multiple proofs (signatures)
print(f"Invocation Envelope Token Proofs Count: {len(invocation_envelope.proofs)}")

# %% Validate the Tokens
# Initialize the validator with the trusted root public key(s)
validator = NucTokenValidator([nilauth_public_key])

# --- Root Token Validation (Optional - Commented Out) ---
# print("Validating Root Token Envelope...")
# try:
#     validator.validate(root_token_envelope)
#     print("Root Token is Valid.")
# except ValidationException as e:
#     print(f"Root Token Validation Failed: {e}")

# --- Delegated Token Validation ---
print("Validating Delegated Token Envelope...")
try:
    # Basic validation checks structure and signature relative to the root
    validator.validate(delegated_token_envelope, {})
    print("Delegated Token is Valid.")
except ValidationException as e:
    print(f"Delegated Token Validation Failed: {e}")

# --- Invocation Token Validation ---
print("Validating Invocation Envelope...")
try:
    # Prepare specific parameters for invocation validation
    default_parameters = ValidationParameters.default()
    # Tell the validator to check if the audience matches our (placeholder) target service key
    default_parameters.token_requirements = InvocationRequirement(
        audience=Did(
            nilai_public_key.pubkey.serialize()
        )  # Use actual service key DID here
    )
    validation_parameters = default_parameters

    # Validate the invocation token against the root and check specific requirements
    validator.validate(invocation_envelope, validation_parameters)
    print("Invocation Token is Valid (including audience check).")
except ValidationException as e:
    print(f"Invocation Token Validation Failed: {e}")
except Exception as e:
    print(f"An unexpected error occurred during invocation validation: {e}")

Nilauth Public Key (Trust Anchor): did:nil:03520e70bd97a5fa6d70c614d50ee47bf445ae0b0941a1d61ddd5afa022b97ab14
Invocation Envelope (parsed object): <nuc.envelope.NucTokenEnvelope object at 0x10b20a900>
Invocation Envelope Token Proofs Count: 2
Validating Delegated Token Envelope...
Delegated Token is Valid.
Validating Invocation Envelope...
Invocation Token is Valid (including audience check).
