# `MobileIdToken`
[🔗](https://github.com/metacircu1ar/mobile_id_token/blob/main/lib/mobile_id_token.ex#L1)

Verifies mobile OAuth `id_token` JWTs issued by Apple and Google.

`verify/3` is the provider-agnostic entrypoint. It delegates to
`MobileIdToken.Apple` and `MobileIdToken.Google`.

# `provider`

```elixir
@type provider() :: :apple | :google
```

# `verify_error`

```elixir
@type verify_error() ::
  :invalid_token
  | :missing_kid
  | :jwk_not_found
  | :invalid_signature
  | :invalid_issuer
  | :missing_client_id
  | :invalid_audience
  | :token_expired
  | :invalid_claims
  | :email_not_verified
  | :invalid_nonce
  | :jwks_unavailable
  | :unsupported_provider
```

# `verify_opts`

```elixir
@type verify_opts() :: [
  client_ids: [String.t()] | String.t(),
  nonce: String.t() | nil
]
```

Verification options.

- `:client_ids` - accepted `aud` values (list, comma-separated string, or single string)
- `:nonce` - expected nonce (Apple expects this to be present; Google allows `nil`)

The library does not read host app env vars directly; pass resolved client IDs explicitly.

# `verify`

```elixir
@spec verify(provider(), String.t(), verify_opts()) ::
  {:ok, map()} | {:error, verify_error()}
```

Verifies an OAuth `id_token` for the given provider.

## Examples

    iex> MobileIdToken.verify(:google, token, client_ids: ["my-client-id"])
    {:ok, claims}

    iex> MobileIdToken.verify(:apple, token, client_ids: ["com.example.app"], nonce: "abc123")
    {:ok, claims}

---

*Consult [api-reference.md](api-reference.md) for complete listing*