# `Mailglass.Compliance.Unsubscribe`
[🔗](https://github.com/szTheory/mailglass/blob/v1.0.0/lib/mailglass/compliance/unsubscribe.ex#L1)

Core unsubscribe token and URL service for RFC 8058 flows.

Tokens carry only the `delivery_id`. Verification tries the current
compliance endpoint/secret first, then each configured previous raw secret
to survive `secret_key_base` rotation without breaking in-flight links.

# `verify_result`

```elixir
@type verify_result() ::
  {:ok, %{delivery_id: String.t()}} | {:error, :expired | :invalid}
```

# `sign_token`
*since 0.2.0* 

```elixir
@spec sign_token(String.t()) :: binary()
```

Signs a delivery-only unsubscribe token with the current endpoint/secret.

# `unsubscribe_url`
*since 0.2.0* 

```elixir
@spec unsubscribe_url(String.t(), map()) :: String.t()
```

Builds the canonical unsubscribe URL for a delivery.

Raises `%Mailglass.ConfigError{}` before returning if the generated URL
exceeds 900 bytes.

# `verify_token`
*since 0.2.0* 

```elixir
@spec verify_token(binary()) :: verify_result()
```

Verifies an unsubscribe token against the current endpoint first and then any
configured previous raw secrets.

---

*Consult [api-reference.md](api-reference.md) for complete listing*