feat(tokens): expose signed JWT on client token response

[AdirAmsalem]

What

tokens.create() now surfaces the server-issued signed JWT as token, alongside the existing opaque api_key.

Why

The JWT carries the same authorization context as the opaque key but can be verified offline against the public JWKS, so gateways can authenticate client tokens by signature instead of round-tripping to a verify endpoint on every connection. The opaque api_key is unchanged and remains the default; token is optional and is simply omitted (None) when signing isn't available — so this is fully backward compatible.

Usage

client = DecartClient(api_key=os.getenv("DECART_API_KEY"))
token = await client.tokens.create()

token.api_key  # "ek_..."                — opaque key (online verify)
token.token    # "eyJhbGciOiJFZERTQS..." — signed JWT (offline JWKS verify), may be None

---

Note

Low Risk
Additive response field with optional parsing only; no request or auth flow changes in the SDK.

Overview
tokens.create() now returns an optional token on CreateTokenResponse — a signed JWT from the API’s token field, alongside the unchanged opaque api_key.

The client maps data.get("token") into the model (defaults to None when signing isn’t returned), so existing callers stay compatible. Docs and the create-token example note offline JWKS verification; tests cover missing vs present JWT in responses.

^{Reviewed by Cursor Bugbot for commit 91ae552. Bugbot is set up for automated code reviews on this repo. Configure here.}