The opaque credential presented by the connecting client.
The authenticated peer's room, id, role, and optional metadata.
Configured via SignalingServerOptions.auth. The server passes the
token extracted from the incoming WebSocket upgrade request (query string or
Authorization header). Resolve to an AuthPayload to admit the peer;
reject (throw) to deny it — the connection is then closed with
CloseCode.PolicyViolation and CloseReason.AuthFailed, and an
auth_errors metric is emitted. This is the single trust boundary for the
server: room membership, role, and metadata are all derived from what this
function returns, so it must not be omitted in production.
Application-supplied hook that verifies a client's connection token and resolves the peer's identity.