Module validate 

The single RS256 decode primitive shared by every JWT validation path.

Request-context middleware, session validation, hook-token validation, and the OAuth/MCP/agent domains all route through decode_rs256_claims. The kid lookup, RS256 enforcement, and the exp/nbf/issuer/audience policy live here and nowhere else, so the validators cannot drift apart. The only per-call knob is ValidationPolicy.

Federated subject-token verification (token-exchange) is deliberately not a caller: it resolves keys from an external issuer’s JWKS rather than this deployment’s signing authority, so it is a genuinely different operation.

Structs

ValidationPolicy

The claim checks applied on top of the always-on signature, RS256, and kid enforcement. An empty audiences slice disables the aud check.

Constants

JWT_LEEWAY_SECONDS

Clock-skew tolerance (seconds) for exp/nbf/iat. Pinned explicitly so deployments see the value in review rather than inheriting the jsonwebtoken default.

Functions

decode_rs256_claims