diff --git a/resources/tokenisation/minter/token_validate.lua b/resources/tokenisation/minter/token_validate.lua
--- a/resources/tokenisation/minter/token_validate.lua
+++ b/resources/tokenisation/minter/token_validate.lua
#
+-- VID-11 Token validator
#
+-- Validate a token against the requested path (and the client making the request) and deny access if validation fails.
#
+local require = require
#
+local sha256 = require "lib.sha256"
#
+local function mint_token(path,expires,ip,secret)
#
+ local mint = {path,expires,ip}
#
+ local mintstr = table.concat(mint,':')
#
+ return sha256.hmac_sha256(secret,mintstr)
#
+local function denyaccess(reason)
#
+ ngx.header['X-Fail-Reason'] = reason
#
+-- Use same static values as were used to mint the origin token
#
+vidpath = string.sub(ngx.var.uri,2)
#
+ip = ngx.var.remote_addr
#
+secret = ngx.var.secret
#
+-- ngx.header['X-Tk-Debug'] = 'Validating for ip ' .. ip .. ' and path ' .. vidpath
#
+local provided = ngx.var.arg_t
#
+local expires = tonumber(ngx.var.arg_e)
#
+if provided == nil or expires == nil
#
+ denyaccess('Missing Token')
#
+-- ngx.header['X-Tk-Timings'] = 'Now: ' .. now .. ' Expiry: ' .. expires
#
+ denyaccess('Token Expired')
#
+local nowtok = mint_token(vidpath,expires,ip,secret)
#
+-- ngx.header['X-tk-vals'] = "Provided " .. provided .. " Calc " .. nowtok
#
+ denyaccess('Token Invalid')
