pub fn verify(
token: &[u8],
expected_pubkey: Option<&[u8; 32]>,
) -> Result<AgentClaims, TokenError>Expand description
Parse + verify a token’s signature and expiry.
If expected_pubkey is provided, the token’s embedded issuer must match.
Otherwise the token is verified against its own embedded issuer (still
cryptographically sound — an attacker can’t forge a signature without the
secret key — but callers should pin a pubkey when possible).