Whether the token lists the given resource among its audiences (RFC 8707). The spec (basic/authorization §Access Token Privilege Restriction) requires servers to "reject tokens that do not include them in the audience claim", so an empty audience does NOT satisfy the binding: a token must explicitly name resource to be treated as issued for this server.
Whether the token grants the named scope.
A convenience constructor for a rejected token.
the audiences the token was issued for (RFC 8707)
the full claim set, for handler inspection
the scopes the token grants
the authenticated principal (token sub), if any
true when the token is genuine, unexpired, and trusted
The result of validating a bearer access token. A token validator returns this to the transport: valid gates the request, scopes/subject/claims describe the principal and are surfaced to tool handlers via RequestContext.auth, and audience lets the transport enforce the RFC 8707 resource binding ("tokens were issued specifically for them").