The gap
PASETO is a "secure alternative to JWT" — no algorithm-confusion footguns, versioned
protocols, sensible defaults. On Node, the reference implementation was panva/paseto.
In March 2025 it was archived read-only. The maintained libraries that remain are v4-only
and don't implement PASERK — the companion standard for serializing, wrapping, and sealing
keys.So there was no maintained JS library that covered both PASETO and full PASERK. That's
the gap paseto-kit fills.What's in it
- PASETO v4 — XChaCha20 + BLAKE2b (local), Ed25519 (public)
- PASETO v3 — the NIST/FIPS-friendly profile: P-384 / AES-256-CTR / HMAC-SHA384
- Full PASERK (all 11 types, per version):
local/public/secretserialization,lid/pid/sidkey IDs,local-wrap/secret-wrap, password wrapping with Argon2id (v4) and PBKDF2 (v3), andseal(X25519 / P-384 ECDH)- Registered-claims validation (
exp,nbf,iss,aud,sub) with clock tolerance- Runtime-agnostic — one build for Node, Deno, Bun, browsers, edge. No
node:imports, noBuffer; justUint8Array+ WebCrypto's CSPRNG, on the audited@noble/*primitivesUsing it
import { generateKeyPair, sign, verify } from 'paseto-kit'; const { secretKey, publicKey } = generateKeyPair(); const token = sign(secretKey, { role: 'admin' }); const { payload } = verify(publicKey, token);Need the NIST profile? Everything's mirrored under a
v3namespace, with distinct key types
so a v4 key can never be used on a v3 token:import { v3 } from 'paseto-kit'; const key = v3.generateLocalKey(); v3.decrypt(key, v3.encrypt(key, { sub: 'u1' }), { validate: { exp: true } });On correctness
Crypto libraries earn trust by being boring and verifiable. paseto-kit implements no novel
cryptography — it assembles audited primitives per spec, and it's tested against the official
PASETO and PASERK test vectors, including theexpect-failcases (e.g. non-canonical
base64url, which must be rejected to prevent token malleability).Honest caveat: it's pre-1.0 and has not had an independent third-party security audit.
Review it before production use, and file issues — especially on the crypto.npm:
npm install paseto-kit· repo: https://github.com/Elalitareq/paseto-kit
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (0)