Build a signed ES256 JWT client assertion (RFC 7523) for OAuth client authentication: iss/sub = client id, aud = the token endpoint.
Build a signed ES256 JWT carrying the given claims, using the supplied PKCS#8 EC P-256 private key (PEM). This is the general access-token sibling of makeClientAssertion: the payload is assembled with Json (so string claims are JSON-escaped, never interpolated) and string claims are rejected up front if they contain control characters, reusing the same injection-hardening.
Sign data with ECDSA P-256 / SHA-256 (the JWS ES256 algorithm) using the given PKCS#8 EC private key (PEM), returning the raw 64-byte R||S signature.
The OAuth client_assertion_type for a JWT bearer client assertion.
A general-purpose set of JWT claims for an ES256 access token, as a typed alternative to hand-concatenating JSON. Unlike makeClientAssertion (which is fixed to RFC 7523 client-assertion shape with iss==sub==clientId), this lets the issuer, subject, audience and scope vary independently. String claims are populated into the payload via Json, so they are escaped rather than interpolated. Empty iss/aud/sub/scope/kid are omitted; the time claims (iat/nbf/exp) are emitted only when non-zero.