Readonlyintenttrue when the mechanism's intent signal is an explicit application-
layer construction (e.g. a DPoP proof header). false when the
signal can be an ambient transport artifact (e.g. an mTLS cert
injected by a reverse proxy regardless of client intent).
ReadonlykindReturn a TokenBinding of this mechanism's kind, null when the
intent signal is absent, or throw a structured error when the signal
is present but the proof / cert is invalid. The thrown value MAY
carry a code: string field matching /^[a-z][a-z0-9_]*$/ — that
code is forwarded as the OAuth error field of the 400 response.
Errors without a snake_case code fall back to
invalid_<kind>_proof so infrastructure-layer codes (e.g. Node
ECONNREFUSED) do not leak through the public error envelope.
One concrete binding mechanism (DPoP, mTLS, etc.). See Wave 2 Token-binding Cluster spec §4.7.