Skip to main content

TokenVerifyError

pas_external

Enum TokenVerifyError 

Source 
pub enum TokenVerifyError {

Show 13 variants    InvalidFormat,
    SignatureInvalid,
    Expired,
    IssuerInvalid,
    AudienceInvalid,
    MissingClaim(&'static str),
    KeysetUnavailable,
    SessionVersionStale,
    SessionVersionLookupUnavailable,
    SessionRevoked,
    SessionLivenessLookupUnavailable,
    IdTokenAsBearer,
    Other(String),

}

Variants§

§

InvalidFormat

Bearer string did not parse as a JWS Compact serialization. Adapter-side reject before engine entry.

§

SignatureInvalid

Cryptographic signature verification failed (engine M16).

§

Expired

exp claim is in the past (engine M19).

§

IssuerInvalid

iss did not match super::VerifyConfig::issuer (engine M23). The engine does not expose the actual value because the failed match means we cannot trust any payload field — the SDK surfaces just “issuer invalid” and the audit log carries the caller’s expected value alongside this variant.

§

AudienceInvalid

aud did not match super::VerifyConfig::audience (engine M21/M22).

§

MissingClaim(&'static str)

A required claim was absent or malformed.

§

KeysetUnavailable

JWKS fetch failed and there is no usable cached snapshot (initial bootstrap failure or with_initial constructed with an empty key set). Distinct from SignatureInvalid so audit logs distinguish “we couldn’t even attempt verification” from “verification failed.”

§

SessionVersionStale

Engine check_epoch rejected: token’s sv claim is below the authoritative substrate’s current value. Break-glass / LogoutAll just kicked this token (RFC §3 Row 3 + STANDARDS_AUTH_INVALIDATION §2.3). Distinct from Expired (which is exp-bound) — the caller’s UX response is the same (re-authenticate) but audit logs distinguish revocation from natural expiry.

Surfaces only when the consumer wired JwtVerifier::with_epoch_revocation at boot. With no port wired, the engine’s epoch gate short-circuits and this variant is unreachable.

§

SessionVersionLookupUnavailable

Engine check_epoch could not reach its substrate (cache miss fell through to fetcher; fetcher returned transient error). Fail-closed per STANDARDS_AUTH_INVALIDATION §3 — admit-on- failure would let stale tokens slip during outage windows. Caller’s HTTP response should be 503 Service Unavailable.

Surfaces only when the consumer wired JwtVerifier::with_epoch_revocation at boot.

§

SessionRevoked

Phase 11.Z 0.10.0 (RFC_2026-05-08 §4.2 lock) — L2 session liveness reject. The token’s sid claim resolved to a row that is absent OR revoked_at is set. Distinct from SessionVersionStale (L1 sv-axis): L2 is consumer-DB row revocation; L1 is cross-service break-glass propagation. Caller’s HTTP response is 401 and the browser cookie clears (the LogoutAll/per-session-revoke flow’s actionable signal).

Surfaces only when the consumer wired JwtVerifier::with_session_liveness at boot AND the token carries a sid claim. Tokens without sid (machine credentials, AI-agent flows, R6 legacy admit per super::VerifiedClaims::session_id) admit without consulting the L2 port (lenient — RFC_2026-05-08 §4.2 lock).

§

SessionLivenessLookupUnavailable

Phase 11.Z 0.10.0 — L2 session liveness substrate could not answer (DB connection lost, schema unavailable, query timeout). Fail-closed per STANDARDS_AUTH_INVALIDATION §3 — admit-on- failure would let post-revoke tokens slip through during outage windows. Caller’s HTTP response should be 503 Service Unavailable. Distinct from SessionVersionLookupUnavailable (L1) so audit dashboards pivot L1 substrate health vs L2 substrate health independently.

Surfaces only when the consumer wired JwtVerifier::with_session_liveness at boot.

§

IdTokenAsBearer

M73 — id_token presented as a Bearer token. RFC 9068 §1 (negative)

  • OIDC Core §1.2 intent: id_tokens authenticate the user to the RP; access_tokens authorize the RP to the resource server. The two are not interchangeable. Many 3rd-party RPs misuse id_token for API access — the SDK’s BearerVerifier surface is for resource servers, so an id_token-shaped JWT here is always wrong.

Distinct from SignatureInvalid (which is the engine’s catch-all for “token cannot be trusted”) so audit logs distinguish a developer-misuse signal (“you’re sending the wrong token class”) from a forgery signal (“the signature didn’t verify”). Rejected BEFORE engine entry so the audit log does not get the same signal masked by TypMismatch → SignatureInvalid collapsing.

§

Other(String)

Catch-all for engine variants that don’t map to a structural SDK rejection. Carries the engine’s AuthError Display so the audit log retains the M-code.

Trait Implementations§

Source§

impl Clone for VerifyError

Source§

fn clone(&self) -> VerifyError

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for VerifyError

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
Source§

impl Display for VerifyError

Source§

fn fmt(&self, __formatter: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
Source§

impl Error for VerifyError

1.30.0 · Source§

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any. Read more
1.0.0 · Source§

fn description(&self) -> &str

👎Deprecated since 1.42.0:

use the Display impl or to_string()

Read more
1.0.0 · Source§

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0:

replaced by Error::source, which can support downcasting

Source§

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)
Provides type-based access to context intended for error reports. Read more
Source§

impl PartialEq for VerifyError

Source§

fn eq(&self, other: &VerifyError) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Eq for VerifyError

Source§

impl StructuralPartialEq for VerifyError

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T> ToStringFallible for T
where T: Display,

Source§

fn try_to_string(&self) -> Result<String, TryReserveError>

ToString::to_string, but without panic on OOM.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more