pub fn verify_worker_bootstrap_token(
signer: &ClusterSigner,
token: &WorkerBootstrapToken,
) -> Result<WorkerBootstrapClaims>Expand description
Verify a token’s signature, domain tag, and expiry. The caller is
responsible for max_uses tracking (typically via the Raft FSM).
signer must be the ClusterSigner whose ClusterSigner::key_id
equals token.signer_kid — for in-grace keys, the caller should look up
the right signer via crate::load_signer_for_kid before calling this.
Returns the claims on success — caller checks jti/max_uses against
the usage counter.
§Errors
Returns SecretsError::Encryption with a human-readable reason on any
validation failure.