What is PASETO and How Does it Compare to JWT?
Introduction
When building secure applications, authentication and authorization mechanisms play a crucial role. JSON Web Tokens (JWT) have been the industry standard for token-based authentication, but an alternative called PASETO (Platform-Agnostic Security Tokens) has gained traction. In this post, we’ll explore what PASETO is, how it differs from JWT, and why you might consider using it in your applications.
What is PASETO?
PASETO (Platform-Agnostic Security Tokens) is a security token format designed to address some of the security pitfalls associated with JWT.
Many security issues with JWTs arise from their inherent flexibility, making proper server-side signature verification crucial. Common pitfalls include:
- Flawed Signature Verification
- Weak Secret Seeds
- Algorithm Confusion Attacks
On the other hand, PASETO enforces safe cryptographic practices by strictly defining cryptographic algorithms per version and purpose, reducing the risk of misconfiguration. It offers two token types:
- Local tokens
vX.local.<payload>: use symmetric encryption, making them ideal for server-side session management where the key remains securely controlled. - Public tokens
vX.public.<payload>: leverage asymmetric encryption, allowing secure verification without exposing the private key.
Currently, PASETO has multiple versions (v1, v2, v3 and v4), each improving security aspects based on modern cryptographic recommendations.
PASETO vs JWT
Security by Design
- JWT supports multiple algorithms, including insecure values like
none - PASETO enforces secure algorithms by default
No Algorithm Confusion
- JWT requires specifying the algorithm used, leading to potential downgrade attacks if an attacker forces a weaker algorithm
- PASETO removes this ambiguity by having fixed cryptographic choices per version
Token Structure: Symmetric Encryption
Symmetric encryption means the same secret key is used for both signing and verification.
PASETO (Local Token — v4.local)
v4.local.T_Ho80hGbA_U5B2GbK3h_j8bqCM-pT8g0KjOq9BLoYyIThis is an encrypted token using Version 4 (v4), meaning it applies XChaCha20-Poly1305 for authenticated encryption.
JWT (HMAC-SHA256)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsImlhdCI6MTY3MjYwMzIwMH0.7eN_vtWJ7O9Pj5HmfGQac1iJHoXqS9tGxU3zMnsyM5cThis JWT is signed with HMAC-SHA256, meaning the server needs the same secret key to verify the signature.
👉 PASETO’s local tokens are fully authentication encrypted, while JWTs are only signed, leaving claims readable unless explicitly encrypted.
Token Structure: Asymmetric Encryption
Asymmetric encryption involves a public-private key pair, where the private key signs and the public key verifies.
PASETO (Public Token — v4.public)
v4.public.eyJ1c2VyX2lkIjoxMjMsImlhdCI6MTY3MjYwMzIwMH0.K_s6eJ93hRnyj-4rMBDpYm2woK8EYv5IjSx2B0R10qIThis is a signed token (not encrypted), using Ed25519 for digital signatures.
JWT (RS256 — RSA Signature)
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsImlhdCI6MTY3MjYwMzIwMH0.QUeRvJ4GJh9aMscP1MSVZlXbTi3NCa3YFGF4BlrHpE4This JWT is signed using RS256 (RSA-SHA256), meaning a private key signs it, and a public key verifies it (other algorithms can be chosen).
👉 PASETO eliminates algorithm confusion by defining one cryptographic algorithm per version, while JWT allows developers to select algorithms, which can lead to security misconfigurations.
Token Revocation
Besides the normal expire setting which is present in both PASETO and JWT, revocation ensures that compromised tokens are invalidated, preventing unauthorized access.
- JWT revocation involves keeping a blacklist of tokens until they expire
- PASETO local tokens are managed by the server, allowing invalidation on the server side
- PASETO public tokens, like JWTs, are stateless and require a blacklist for revocation
Decoding VX.Public PASETO Tokens
Both PASETO and JWT tokens share a similarity in that, for asymmetric encryption, both have an unencrypted Base64 payload. However, their decoding methods differ:
- In JWT tokens, the payload and signature are separated by a dot (.), making it straightforward to decode the payload as Base64 directly.
- In contrast, PASETO VX.Public tokens lack this structure. Depending on the version being used, the size of the signature needs to be determined, and the payload must be split accordingly.
If you’re a security tester or a web developer needing to quickly decode a raw PASETO vX.public token, you can use the following Python script, which automatically checks the token version and decodes it accordingly:
❯ git clone https://github.com/diogper/paseto-decoder.git
❯ cd paseto-decoder
❯ python paseto-decoder.py v4.public.eyJ1c2VyIjoiYWxpY2UiLCJyb2xlIjoiYWRtaW4iLCJpYXQiOiIyMDI1LTAzLTAzVDIzOjE3OjMwLjkyMFoifS-X7zXNNVRzgCA1bJEPOgrUE62VckpfdOOaWsu5KEg8axWCTc32Vvlr9CcS8z5y2oFHYKcnhRL6n81guHriKAg
[!] Decoding PASETO Token
[+] Header: v4.public.
[+] Payload: {"user":"alice","role":"admin","iat":"2025-03-03T23:17:30.920Z"}
[+] Signature: b"/\x97\xef5\xcd5Ts\x80 5l\x91\x0f:\n\xd4\x13\xad\x95rJ_t\xe3\x9aZ\xcb\xb9(H<k\x15\x82M\xcd\xf6V\xf9k\xf4'\x12\xf3>r\xda\x81G`\xa7'\x85\x12\xfa\x9f\xcd`\xb8z\xe2(\x08"Conclusion
While JWT remains widely used, PASETO offers a compelling alternative for developers prioritizing security and simplicity. If you’re working on a new project or looking to enhance security in an existing system, considering PASETO as your token standard might be a smart move.
Would you like a practical example or a deeper dive into implementing PASETO in a real-world application? Let me know in the comments!
