validate
Validate and read an access token.
What happens:
We check the signature against our public key and verify expected issuer/audience/expiry.
We then extract a few useful fields (user id, email, timestamps, and optional cnf.jkt binding).
Return
a simple Kotlin data object with the claims we care about
Parameters
token
the compact JWT string from the Authorization header
Throws
JWTVerification
if the token is invalid/expired