Module setup_code 

HMAC-SHA256 bearer-token issuer.

agent pair start builds a JSON TokenClaims blob, signs it with the secret in ~/.nexo/secret/pairing.key, and ships b64u(claims) + "." + b64u(sig) to the companion. The companion presents this as a Bearer token to the daemon’s gateway, which verifies HMAC + expiry.

Structs

SetupCodeIssuer

Functions

decode_setup_code

Inverse of encode_setup_code for the companion side.

encode_setup_code

Encoded form: b64url(JSON({url, bootstrap_token, expires_at})). QR-friendly: short, URL-safe, no padding.

token_device_label

Convenience: reads the device_label from an unverified token payload. Used by the companion to label the persisted session file without needing the HMAC secret (the daemon verifies the signature on its side).

token_expires_at

Convenience: returns the expires_at as a UTC timestamp.