Struct DesignationBuilder 

pub struct DesignationBuilder { /* private fields */ }

Builder for adding designation blocks to capability tokens.

Designations are standard Biscuit attenuation blocks that narrow the scope of a capability token by specifying which specific object/resource instance the token applies to. Unlike prefix restrictions (which required third-party blocks), designations use regular append-only blocks and do not require a signing key.

Example

use hessra_cap_token::DesignationBuilder;
use hessra_token_core::PublicKey;

let attenuated = DesignationBuilder::from_base64(token, public_key)?
    .designate("tenant_id".to_string(), "t-123".to_string())
    .designate("user_id".to_string(), "u-456".to_string())
    .attenuate_base64()?;

Implementations

impl DesignationBuilder

pub fn new(token: Vec<u8>, public_key: PublicKey) -> Self

Create a new DesignationBuilder from raw token bytes.

Arguments

• token - The binary token data
• public_key - The public key to verify the token

pub fn from_base64( token: String, public_key: PublicKey, ) -> Result<Self, TokenError>

Create a new DesignationBuilder from a base64-encoded token string.

Arguments

• token - The base64-encoded token string
• public_key - The public key to verify the token

pub fn designate(self, label: String, value: String) -> Self

Add a designation (label, value) pair to narrow the token’s scope.

Each designation adds a check if designation(label, value) to the token, requiring the verifier to provide matching designation(label, value) facts.

Arguments

• label - The designation dimension (e.g., “tenant_id”, “user_id”, “region”)
• value - The specific value for this dimension (e.g., “t-123”, “u-456”, “us-east-1”)

pub fn attenuate(self) -> Result<Vec<u8>, TokenError>

Attenuate the token with all accumulated designations.

Returns the attenuated token as binary bytes.

pub fn attenuate_base64(self) -> Result<String, TokenError>

Attenuate the token and return as a base64-encoded string.