class Stytch::M2M

def authenticate_token(

The type of this field is +object+.
A map of custom claims present in the token.
custom_claims::
The type of this field is +String+.
The ID of the client that was issued the token
client_id::
The type of this field is list of +String+.
An array of scopes granted to the token holder.
scopes::
+nil+ if the token could not be validated, or an object with the following fields:
== Returns:
The type of this field is nilable +Integer+.
The tolerance to use during verification of the nbf claim. This can help with clock drift issues.
clock_tolerance_seconds:
documentation for +perform_authorization_check+ for more information.
scopes are either direct string matches or written in the form "action:resource". See the
A function to check if the token has the required scopes. This defaults to a function that assumes
scope_authorization_func::
The type of this field is nilable +Integer+.
The maximum possible lifetime in seconds for the token to be valid.
max_token_age::
The type of this field is nilable list of +String+.
A list of scopes the token must have to be valid.
required_scopes::
The type of this field is +String+.
The access token granted to the client. Access tokens are JWTs signed with the project's JWKs.
access_token::
== Parameters:

+authenticate_token+ validates a M2M JWT locally.
MANUAL(M2M::authenticate_token)(SERVICE_METHOD)
def authenticate_token(
  access_token:,
  required_scopes: nil,
  max_token_age: nil,
  scope_authorization_func: method(:perform_authorization_check),
  clock_tolerance_seconds: nil
)
  # Intentionally allow this to re-raise if authentication fails
  decoded_jwt = authenticate_token_local(access_token, clock_tolerance_seconds: clock_tolerance_seconds)
  iat_time = Time.at(decoded_jwt['iat']).to_datetime
  # Token too old
  raise JWTExpiredError if !max_token_age.nil? && (iat_time + max_token_age < Time.now)
  resp = marshal_jwt_into_response(decoded_jwt)
  unless required_scopes.nil?
    is_authorized = scope_authorization_func.call(
      has_scopes: resp['scopes'],
      required_scopes: required_scopes
    )
    raise M2MPermissionError.new(resp['scopes'], required_scopes) unless is_authorized
  end
  resp
end