Module hmac 

HMAC-SHA256 sign/verify for kid:hex tokens.

Token shape is <kid>:<hex-digest> where the digest is HMAC-SHA256(secret, kid || ":" || message). Verification is constant-time via ::hmac::Mac::verify_slice.

Enums

HmacVerifyError

Errors from hmac_verify. Backend callers map these onto EngineError::Validation(InvalidInput) at the trait boundary.

Functions

hmac_sign

HMAC-SHA256 signature over kid || ":" || message. Returns a kid:hex token.

hmac_verify

Verify a kid:hex token. Returns Ok(()) iff the digest matches secret over message. Constant-time comparison.