Struct AccessToken 

pub struct AccessToken {
    pub version: u32,
    pub package_fingerprint: String,
    pub expires_at: u64,
    pub secret: SecretValue,
}

A bearer access token authorizing unattended consumption of one package (§7.2). Bound to its package by package_fingerprint, time-boxed by expires_at, and proven by secret (whose BLAKE3 matches the token_commitment sealed inside the package payload).

Debug is safe: secret is a SecretValue (redacted); the fingerprint and expiry are not secrets.

Fields

version: u32

Schema version.

package_fingerprint: String

Full BLAKE3 hex of the package’s sealed bytes — binds this token to exactly one package.

expires_at: u64

Expiry (Unix seconds) — equals the package expires_at.

secret: SecretValue

The random token secret (factor 2). Serialized into the token artifact (which IS this credential), never into the package.

Implementations

impl AccessToken

pub fn to_bytes(&self) -> Result<Vec<u8>, CoreError>

Serialize the token to its artifact bytes (JSON). This file IS the bearer credential — deliver it over a channel separate from the package.

pub fn from_bytes(bytes: &[u8]) -> Result<Self, CoreError>

Parse a token artifact produced by AccessToken::to_bytes.

Trait Implementations

impl Debug for AccessToken

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for AccessToken

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for AccessToken

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.