pub trait BearerVerifier: Send + Sync {
// Required method
fn verify<'life0, 'life1, 'async_trait>(
&'life0 self,
bearer_token: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<VerifiedClaims, VerifyError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait;
}Expand description
Verification port for incoming bearer tokens.
Implementations swap the cryptographic backend without altering the
caller’s surface. The production [super::JwtVerifier] verifies
PAS-issued JWTs against a TTL-cached JWKS; the test-support
[super::MemoryBearerVerifier] returns canned
VerifiedClaims values keyed by the bare token string.
verify is async because the production adapter performs
stale-on-failure JWKS refresh inside the verify path, and any
future 3rd-party adapter is free to make HTTP calls. Caller
middleware that needs synchronous semantics wraps the call in
tokio::block_on; the port itself stays uniformly async.
The single bearer_token parameter mirrors the M38 transport-blind
invariant: the engine never reaches into request framing, and
neither does the SDK port. Consumer middleware extracts the bare
token before calling.