Top Related Projects
JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes.
Square’s meticulous HTTP client for the JVM, Android, and GraalVM.
Quick Overview
Paragonie/paseto is a secure alternative to the JOSE standards (JWT, JWE, JWS) that provides a secure, stateless token format for authentication and authorization. PASETO (Platform-Agnostic Security Tokens) offers better security guarantees and is designed to be more resistant to implementation errors.
Pros
- Stronger security guarantees compared to JWT
- Simpler to implement correctly, reducing the risk of vulnerabilities
- Supports both local (symmetric) and public (asymmetric) modes
- Provides built-in protection against common cryptographic attacks
Cons
- Less widely adopted compared to JWT
- May require additional effort to integrate with existing systems
- Limited language support compared to more established standards
- Potential compatibility issues with services expecting JWT
Code Examples
- Creating a local (symmetric) token:
use ParagonIE\Paseto\Builder;
use ParagonIE\Paseto\Keys\SymmetricKey;
use ParagonIE\Paseto\Protocol\Version4;
$key = new SymmetricKey(random_bytes(32)); // Generate a secure random key
$token = Builder::getLocal($key, new Version4)
->setIssuedAt()
->setExpiration(new \DateTime('+1 hour'))
->setClaims(['user_id' => 123])
->toString();
- Parsing and validating a token:
use ParagonIE\Paseto\Parser;
use ParagonIE\Paseto\Rules\IssuedBy;
use ParagonIE\Paseto\Rules\NotExpired;
$parser = Parser::getLocal($key, new Version4);
$token = $parser
->addRule(new IssuedBy('https://example.com'))
->addRule(new NotExpired())
->parse($tokenString);
$userId = $token->getClaims()['user_id'];
- Creating a public (asymmetric) token:
use ParagonIE\Paseto\Keys\AsymmetricPublicKey;
use ParagonIE\Paseto\Keys\AsymmetricSecretKey;
$secretKey = AsymmetricSecretKey::generate(new Version4);
$publicKey = $secretKey->getPublicKey();
$token = Builder::getPublic($secretKey, new Version4)
->setIssuedAt()
->setExpiration(new \DateTime('+1 hour'))
->setClaims(['user_id' => 123])
->toString();
Getting Started
-
Install the library using Composer:
composer require paragonie/paseto
-
Generate a secure key:
use ParagonIE\Paseto\Keys\SymmetricKey; $key = new SymmetricKey(random_bytes(32));
-
Create and use tokens as shown in the code examples above.
-
For more advanced usage and configuration options, refer to the official documentation at https://github.com/paragonie/paseto
Competitor Comparisons
JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
Pros of node-jsonwebtoken
- Widely adopted and well-established in the industry
- Extensive documentation and community support
- Simpler implementation for basic use cases
Cons of node-jsonwebtoken
- Known security vulnerabilities in older versions
- Requires careful implementation to avoid common pitfalls
- Less secure than PASETO for certain use cases
Code Comparison
node-jsonwebtoken:
const jwt = require('jsonwebtoken');
const token = jwt.sign({ data: 'payload' }, 'secret', { expiresIn: '1h' });
PASETO:
const paseto = require('paseto');
const token = await paseto.V2.sign({ data: 'payload' }, key, { expiresIn: '1h' });
Key Differences
- PASETO offers stronger security guarantees by default
- node-jsonwebtoken uses JSON Web Tokens (JWT), while PASETO uses a different token format
- PASETO provides better protection against certain types of attacks, such as algorithm substitution
Use Cases
- node-jsonwebtoken: Suitable for applications with simpler security requirements or those already using JWT
- PASETO: Ideal for applications requiring higher security standards or those starting fresh without legacy JWT dependencies
Community and Ecosystem
- node-jsonwebtoken: Larger community, more third-party integrations
- PASETO: Growing community, fewer integrations but gaining traction in security-conscious environments
JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes.
Pros of jose
- Wider adoption and ecosystem support
- Implements multiple standards (JWT, JWS, JWE, JWK)
- More comprehensive feature set for JSON Web Token operations
Cons of jose
- More complex API due to broader scope
- Potentially higher learning curve for developers
- May include unnecessary features for simpler use cases
Code Comparison
jose:
const jwt = require('jose');
const token = await new jose.SignJWT({ 'urn:example:claim': true })
.setProtectedHeader({ alg: 'ES256' })
.setIssuedAt()
.setExpirationTime('2h')
.sign(privateKey);
PASETO:
use ParagonIE\Paseto\Builder;
$token = Builder::getLocal($symmetricKey)
->setIssuedAt()
->setExpiration(new \DateTime('+2 hours'))
->setClaims(['urn:example:claim' => true])
->toString();
Summary
jose offers a more comprehensive solution for JSON Web Token operations, supporting multiple standards and providing a wider range of features. However, this comes at the cost of increased complexity and a steeper learning curve. PASETO, on the other hand, focuses on simplicity and security, offering a more straightforward API for token creation and validation. The choice between the two depends on specific project requirements and the desired balance between feature richness and simplicity.
Square’s meticulous HTTP client for the JVM, Android, and GraalVM.
Pros of OkHttp
- Widely adopted and battle-tested HTTP client for Android and Java applications
- Supports modern protocols like HTTP/2 and SPDY
- Extensive features including connection pooling, request/response caching, and automatic GZIP compression
Cons of OkHttp
- Focused solely on HTTP communication, not a security-specific library
- Requires additional configuration and implementation for advanced security features
- May have a steeper learning curve for developers new to HTTP client libraries
Code Comparison
OkHttp (HTTP request):
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://api.example.com/data")
.build();
Response response = client.newCall(request).execute();
PASETO (token creation):
use ParagonIE\Paseto\Builder;
use ParagonIE\Paseto\Keys\SymmetricKey;
$key = new SymmetricKey(sodium_crypto_secretbox_keygen());
$token = (new Builder())
->setKey($key)
->setIssuedAt()
->setExpiration(new \DateTime('+1 hour'))
->setClaims(['data' => 'example'])
->toString();
While both libraries serve different purposes, OkHttp excels in HTTP communication, whereas PASETO focuses on secure token creation and validation. OkHttp is more suitable for general-purpose networking tasks, while PASETO is specifically designed for implementing secure, stateless authentication mechanisms.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
PASETO: Platform-Agnostic Security Tokens
Paseto (pÉËsÉtÉÊ, paw-set-oh) is everything you love about JOSE (JWT, JWE, JWS) without any of the many design deficits that plague the JOSE standards.
This library is a reference implementation of PASETO in the PHP language. Please refer to the PASETO Specification for design considerations.
How to Use this Library
See the documentation.
The PASETO specification may also be useful for understanding why things are designed the way they are.
PASETO Extensions
PASERK
For key wrapping, serialization, and canonical identification, please see the PHP implementation of PASERK.
If you're not sure what that means, please refer to the PASERK specification.
Since PASERK is a PASETO extension, PASERK support is not automatically included with PASETO, but PASETO is bundled with PASERK.
Requirements
PHP PASETO Library Version 3
- Requires PHP 8.1 or newer.
- For v3 tokens, the GMP and OpenSSL extensions are required.
- For v4 tokens, the Sodium extension is strongly recommended (but this library will use sodium_compat if it's not).
- PASETO Protocol versions:
v3
,v4
PHP PASETO Library Version 2
- Requires PHP 7.1 or newer.
- For v3 tokens, the GMP and OpenSSL extensions are required.
- For v4 tokens, the Sodium extension is strongly recommended (but this library will use sodium_compat if it's not).
- PASETO Protocol versions:
v1
,v2
,v3
,v4
PHP PASETO Library Version 1
- Requires PHP 7.0 or newer.
- For v1 tokens, the OpenSSL extension is required.
- For v2 tokens, the Sodium extension is strongly recommended (but this library will use sodium_compat if it's not).
- PASETO Protocol versions:
v1
,v2
Support Contracts
If your company uses this library in their products or services, you may be interested in purchasing a support contract from Paragon Initiative Enterprises.
Top Related Projects
JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes.
Square’s meticulous HTTP client for the JVM, Android, and GraalVM.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot