generate
Create a short-lived access token (JWT).
In plain words: we stamp who you are (subject), who the token is for (audience), when it was made (iat), when it expires (exp), and—if available—the fingerprint of your browser key (cnf.jkt) to tie the token to you.
Return
the signed JWT as a compact string
Parameters
subject
the user id as a string
email
copied into a readable claim for convenience (not used for security decisions)
jwk
optional key thumbprint to bind the token to a DPoP key