pub async fn verify(token: &str, expected: TokenType) -> Option<TokenDetails>Expand description
Verifies a token of the EXPECTED type against its owner’s public key.
Reads the sub claim unverified as a routing hint ONLY, fetches that user’s
authoritative public key from the directory, re-verifies the signature, and
requires the claimed token_type to match expected — so an access token
can never be replayed where a refresh token is required (or vice-versa).
Returns None for any failure — unknown user, missing key, bad signature,
or wrong type — so callers cannot distinguish failure modes (existence
masking). Always hits the DB for the current key, so a rotated/cleared key
takes effect immediately (no stale-key window).