<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Guillermo Contreras</title>
    <description>The latest articles on DEV Community by Guillermo Contreras (@guillermo_contreras_07609).</description>
    <link>https://dev.to/guillermo_contreras_07609</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4023342%2F929b6161-b932-43df-82a6-a9c2fb9a3a5a.jpg</url>
      <title>DEV Community: Guillermo Contreras</title>
      <link>https://dev.to/guillermo_contreras_07609</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/guillermo_contreras_07609"/>
    <language>en</language>
    <item>
      <title>Encrypt your JWTs in .NET, not just sign them</title>
      <dc:creator>Guillermo Contreras</dc:creator>
      <pubDate>Fri, 10 Jul 2026 01:51:52 +0000</pubDate>
      <link>https://dev.to/guillermo_contreras_07609/encrypt-your-jwts-in-net-not-just-sign-them-4a6j</link>
      <guid>https://dev.to/guillermo_contreras_07609/encrypt-your-jwts-in-net-not-just-sign-them-4a6j</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fn2d86j4wtm8uh2rkywio.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fn2d86j4wtm8uh2rkywio.png" alt=" " width="800" height="420"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A signed JWT (JWS) is &lt;em&gt;tamper-proof&lt;/em&gt;, but it's not &lt;em&gt;private&lt;/em&gt; — paste one into&lt;br&gt;
jwt.io and you'll read every claim. If your token carries an email, a role or any&lt;br&gt;
PII, you want it &lt;strong&gt;encrypted&lt;/strong&gt; (JWE). Here's how, with&lt;br&gt;
&lt;strong&gt;&lt;a href="https://security.matios.cl" rel="noopener noreferrer"&gt;Matios.Security&lt;/a&gt;&lt;/strong&gt; — dependency-free JOSE/JWT for&lt;br&gt;
.NET, MIT.&lt;/p&gt;
&lt;h2&gt;
  
  
  Install
&lt;/h2&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;dotnet add package Matios.Security
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;h2&gt;
  
  
  First, a normal signed token (JWS)
&lt;/h2&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight csharp"&gt;&lt;code&gt;&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;Matios.Security.Jose&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;Matios.Security.Jwt&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

&lt;span class="kt"&gt;var&lt;/span&gt; &lt;span class="n"&gt;signingKey&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;SymmetricJoseKey&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;FromBase64Url&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;signingKeyB64&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;"sig-2026"&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

&lt;span class="kt"&gt;string&lt;/span&gt; &lt;span class="n"&gt;token&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nf"&gt;JwtBuilder&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Issuer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"my-platform"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Subject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;userId&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Lifetime&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;TimeSpan&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;FromMinutes&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="m"&gt;30&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Claim&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"role"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;"admin"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;SignWith&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;signingKey&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Create&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;


&lt;p&gt;Integrity: ✅. Confidentiality: ❌ — the payload is just base64, readable by anyone&lt;br&gt;
who intercepts it.&lt;/p&gt;
&lt;h2&gt;
  
  
  Now encrypt it — one extra line
&lt;/h2&gt;

&lt;p&gt;Add &lt;code&gt;.EncryptWith(...)&lt;/code&gt; and the same builder produces a &lt;strong&gt;Nested JWT&lt;/strong&gt; (signed&lt;br&gt;
inside, encrypted outside). The token becomes opaque — &lt;code&gt;dir&lt;/code&gt; + &lt;code&gt;A256GCM&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight csharp"&gt;&lt;code&gt;&lt;span class="kt"&gt;string&lt;/span&gt; &lt;span class="n"&gt;token&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nf"&gt;JwtBuilder&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Subject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;userId&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Lifetime&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;TimeSpan&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;FromMinutes&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="m"&gt;30&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Claim&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"role"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;"admin"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Claim&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"email"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;"ana@acme.cl"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;SignWith&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;signingKey&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;EncryptWith&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;encryptionKey&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;      &lt;span class="c1"&gt;// ← now the claims are hidden&lt;/span&gt;
    &lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Create&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;(Fun fact: Microsoft's own stack can't even &lt;em&gt;issue&lt;/em&gt; a JWE with A256GCM — this&lt;br&gt;
library does, cross-platform.)&lt;/p&gt;

&lt;h2&gt;
  
  
  Validate — strict by design
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight csharp"&gt;&lt;code&gt;&lt;span class="n"&gt;JwtClaims&lt;/span&gt; &lt;span class="n"&gt;claims&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;JwtValidator&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Validate&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;token&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="n"&gt;JwtValidationParameters&lt;/span&gt;
&lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;SigningKey&lt;/span&gt;    &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;signingKey&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;DecryptionKey&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;encryptionKey&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;   &lt;span class="c1"&gt;// set ⇒ a plain JWS is rejected (no downgrade)&lt;/span&gt;
    &lt;span class="n"&gt;ValidIssuer&lt;/span&gt;   &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s"&gt;"my-platform"&lt;/span&gt;
&lt;span class="p"&gt;});&lt;/span&gt;

&lt;span class="kt"&gt;string&lt;/span&gt; &lt;span class="n"&gt;role&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;claims&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;GetClaim&lt;/span&gt;&lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;(&lt;/span&gt;&lt;span class="s"&gt;"role"&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You declare the accepted &lt;code&gt;alg&lt;/code&gt;/&lt;code&gt;enc&lt;/code&gt; — no &lt;code&gt;alg:"none"&lt;/code&gt;, no algorithm confusion,&lt;br&gt;
&lt;code&gt;crit&lt;/code&gt;/&lt;code&gt;zip&lt;/code&gt; rejected. Validation failures raise one generic error; the real reason&lt;br&gt;
stays in a log-only failure code (anti-oracle).&lt;/p&gt;

&lt;p&gt;Docs and examples → &lt;strong&gt;&lt;a href="https://security.matios.cl" rel="noopener noreferrer"&gt;https://security.matios.cl&lt;/a&gt;&lt;/strong&gt;. Part of a&lt;br&gt;
family of zero-dependency, MIT packages for .NET — &lt;strong&gt;matios.cl&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;If you try it, I'd love your feedback — issues and stars welcome. 🙌&lt;/p&gt;

</description>
      <category>jwt</category>
      <category>jwe</category>
      <category>dotnet</category>
      <category>csharp</category>
    </item>
    <item>
      <title>I built five zero-dependency packages for .NET</title>
      <dc:creator>Guillermo Contreras</dc:creator>
      <pubDate>Fri, 10 Jul 2026 01:42:08 +0000</pubDate>
      <link>https://dev.to/guillermo_contreras_07609/i-built-five-zero-dependency-packages-for-net-4ag4</link>
      <guid>https://dev.to/guillermo_contreras_07609/i-built-five-zero-dependency-packages-for-net-4ag4</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl6xao7dgm61wdvnwlblo.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl6xao7dgm61wdvnwlblo.png" alt=" " width="800" height="420"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;For the last few months I've been building &lt;strong&gt;Matios&lt;/strong&gt; — a small family of&lt;br&gt;
open-source packages for .NET (and the web) that all share one rule:&lt;br&gt;
&lt;strong&gt;zero dependencies&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Not "few dependencies." Zero. Each one is built only on the BCL — no third-party&lt;br&gt;
packages, no transitive tree to audit, nothing that can change its license out&lt;br&gt;
from under you. MIT, and small enough to read end to end.&lt;/p&gt;

&lt;p&gt;Here's why, and what's in the family.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why zero dependencies?
&lt;/h2&gt;

&lt;p&gt;Every dependency you add is something you don't fully control: a supply-chain&lt;br&gt;
surface, a transitive tree, a maintenance and licensing risk. For a lot of&lt;br&gt;
everyday tasks — writing an Excel file, generating a PDF, dispatching a request —&lt;br&gt;
I wanted a library I could drop in and forget, and read if I ever needed to.&lt;/p&gt;

&lt;p&gt;So instead of wrapping an existing engine, each package &lt;strong&gt;writes the format (or&lt;br&gt;
implements the pattern) itself&lt;/strong&gt;, on the BCL alone. As a bonus, that makes them a&lt;br&gt;
great fit for &lt;strong&gt;Native AOT and trimming&lt;/strong&gt;, where every dependency is friction.&lt;/p&gt;

&lt;h2&gt;
  
  
  The family
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;📊 &lt;a href="https://spreadsheet.matios.cl" rel="noopener noreferrer"&gt;Matios.Spreadsheet&lt;/a&gt;&lt;/strong&gt; — read, write and stream&lt;br&gt;
&lt;code&gt;.xlsx&lt;/code&gt; (Office Open XML) with its own engine: styling, formulas computed in&lt;br&gt;
memory, charts, pivots, streaming.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;📄 &lt;a href="https://pdf.matios.cl" rel="noopener noreferrer"&gt;Matios.Pdf&lt;/a&gt;&lt;/strong&gt; — generate, read and encrypt PDFs&lt;br&gt;
(ISO 32000): embedded, subsetted Unicode fonts, vector graphics, images, and a&lt;br&gt;
layout engine with flow and paginating tables.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;🧩 &lt;a href="https://forge.matios.cl" rel="noopener noreferrer"&gt;Matios.Forge&lt;/a&gt;&lt;/strong&gt; — a mediator for .NET with no&lt;br&gt;
mandatory container (dispatch in ~15 ns, allocation-free), plus a set of building&lt;br&gt;
blocks for Clean Architecture (specification, state machine, strategy, repository…).&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;🔒 &lt;a href="https://security.matios.cl" rel="noopener noreferrer"&gt;Matios.Security&lt;/a&gt;&lt;/strong&gt; — JOSE/JWT done strictly: it&lt;br&gt;
issues JWE (encrypted tokens) that the official .NET stack can't, plus JWS and&lt;br&gt;
Nested JWT.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;🎨 &lt;a href="https://ui-framework.matios.cl" rel="noopener noreferrer"&gt;Matios UI Framework&lt;/a&gt;&lt;/strong&gt; — the web sibling:&lt;br&gt;
UI in pure CSS and JavaScript, 85+ components, mode + accent theming, no build step.&lt;/p&gt;

&lt;p&gt;Every one is MIT, tested and benchmarked — and, for the .NET ones, validated&lt;br&gt;
against real readers (opening the &lt;code&gt;.xlsx&lt;/code&gt; in Excel, the PDF in real viewers, and&lt;br&gt;
so on) rather than just unit tests in isolation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Try them
&lt;/h2&gt;

&lt;p&gt;Each has its own page with the docs, examples, benchmarks and the install command&lt;br&gt;
(plus NuGet and GitHub links):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;📊 &lt;strong&gt;&lt;a href="https://spreadsheet.matios.cl" rel="noopener noreferrer"&gt;https://spreadsheet.matios.cl&lt;/a&gt;&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;📄 &lt;strong&gt;&lt;a href="https://pdf.matios.cl" rel="noopener noreferrer"&gt;https://pdf.matios.cl&lt;/a&gt;&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;🧩 &lt;strong&gt;&lt;a href="https://forge.matios.cl" rel="noopener noreferrer"&gt;https://forge.matios.cl&lt;/a&gt;&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;🔒 &lt;strong&gt;&lt;a href="https://security.matios.cl" rel="noopener noreferrer"&gt;https://security.matios.cl&lt;/a&gt;&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;🎨 &lt;strong&gt;&lt;a href="https://ui-framework.matios.cl" rel="noopener noreferrer"&gt;https://ui-framework.matios.cl&lt;/a&gt;&lt;/strong&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Or start from &lt;strong&gt;matios.cl&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;It's early, and it's open source. If any of these solve a problem for you, I'd&lt;br&gt;
genuinely love your feedback — issues, stars, and "this broke on my file" reports&lt;br&gt;
are all welcome. That's exactly how they get better.&lt;/p&gt;

&lt;p&gt;I'll follow up with a short how-to for each one. Thanks for reading. 🙌&lt;/p&gt;

</description>
      <category>javascript</category>
      <category>dotnet</category>
      <category>csharp</category>
      <category>opensource</category>
    </item>
  </channel>
</rss>
