SkillAgentSearch skills...

Paseto

PASETO (Platform-Agnostic SEcurity TOkens) for Node.js with no dependencies

GenerateConvertImprove

Install / Use

/learn @panva/Paseto
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

[!IMPORTANT] This project is now archived. It may get revived when v5 and v6 protocol versions get released and their underlying crypto becomes readily available in Web Cryptography API implementations across JavaScript runtimes.

paseto

PASETO: <strong>P</strong>latform-<strong>A</strong>gnostic <strong>SE</strong>curity <strong>TO</strong>kens for Node.js with no dependencies.

Supported Library Versions

| Version | Security Fixes 🔑 | Other Bug Fixes 🐞 | New Features ⭐ | | ------------------------------------------------- | ----------------- | ------------------ | --------------- | | v3.x | Security Policy | ❌ | ❌ |

Implemented Protocol Versions

| | v1 | v2 | v3 | v4 | | -- | -- | -- | -- | -- | | local | ✅ | ❌ | ✅ | ❌ | | public | ✅ | ✅ | ✅ | ✅ |

Documentation

Usage

Installing paseto

npm install paseto

Usage

const paseto = require('paseto')

// Generic (all versions) APIs
const { decode } = paseto

// PASETO Protocol Version v1 specific API
const { V1 } = paseto // { sign, verify, encrypt, decrypt, generateKey }

// PASETO Protocol Version v2 specific API
const { V2 } = paseto // { sign, verify, generateKey }

// PASETO Protocol Version v3 specific API
const { V3 } = paseto // { sign, verify, encrypt, decrypt, generateKey }

// PASETO Protocol Version v4 specific API
const { V4 } = paseto // { sign, verify, generateKey }

// errors utilized by paseto
const { errors } = paseto

Producing tokens

const { V4: { sign } } = paseto

(async () => {
  {
    const token = await sign({ sub: 'johndoe' }, privateKey)
    // v4.public.eyJzdWIiOiJqb2huZG9lIiwiaWF0IjoiMjAyMS0wOC0wM1QwNTozOTozNy42NzNaIn3AW3ri7P5HpdakJmZvhqssz7Wtzi2Rb3JafwKplLoCWuMkITYOo5KNNR5NMaeAR6ePZ3xWUcbO0R11YLb02awO
  }
})()

Consuming tokens

const { V4: { verify } } = paseto

(async () => {
  {
    const payload = await verify(token, publicKey)
    // { sub: 'johndoe', iat: '2019-07-01T15:22:47.982Z' }
  }
})()

FAQ

Semver?

Yes. Everything that's either exported in the TypeScript definitions file or documented is subject to Semantic Versioning 2.0.0. The rest is to be considered private API and is subject to change between any versions.

How do I use it outside of Node.js

It is only built for Node.js environment versions >=16.0.0

panva

View profile

View on GitHub
GitHub Stars494
CategoryDevelopment
Updated8d ago
Forks30
panva/paseto

Languages

JavaScript

Security Score

100/100

Audited on Mar 23, 2026

No findings