DEV Community

Filling the PASETO gap in JavaScript: paseto-kit (v3/v4 + full PASERK)

The gap

PASETO is a "secure alternative to JWT" - no algorithm-confusion footguns, versioned protocols, sensible defaults. On Node, the reference implementation was panva/paseto. In March 2025 it was archived read-only. The maintained libraries that remain are v4-only and don't implement PASERK - the companion standard for serializing, wrapping, and sealing keys.

So there was no maintained JS library that covered both PASETO and full PASERK. That's the gap paseto-kit fills.

What's in it

  • PASETO v4 - XChaCha20 + BLAKE2b (local), Ed25519 (public)
  • PASETO v3 - the NIST/FIPS-friendly profile: P-384 / AES-256-CTR / HMAC-SHA384
  • Full PASERK (all 11 types, per version): local / public / secret serialization, lid / pid / sid key IDs, local-wrap / secret-wrap, password wrapping with Argon2id (v4) and PBKDF2 (v3), and seal (X25519 / P-384 ECDH)
  • Registered-claims validation (exp, nbf, iss, aud, sub) with clock tolerance
  • Runtime-agnostic - one build for Node, Deno, Bun, browsers, edge. No node: imports, no Buffer; just Uint8Array + WebCrypto's CSPRNG, on the audited @noble/* primitives

Using it

import { generateKeyPair, sign, verify } from 'paseto-kit';

const { secretKey, publicKey } = generateKeyPair();
const token = sign(secretKey, { role: 'admin' });
const { payload } = verify(publicKey, token);

Need the NIST profile? Everything's mirrored under a v3 namespace, with distinct key types so a v4 key can never be used on a v3 token:

import { v3 } from 'paseto-kit';

const key = v3.generateLocalKey();
v3.decrypt(key, v3.encrypt(key, { sub: 'u1' }), { validate: { exp: true } });

On correctness

Crypto libraries earn trust by being boring and verifiable. paseto-kit implements no novel cryptography - it assembles audited primitives per spec, and it's tested against the official PASETO and PASERK test vectors, including the expect-fail cases (e.g. non-canonical base64url, which must be rejected to prevent token malleability).

Honest caveat: it's pre-1.0 and has not had an independent third-party security audit. Review it before production use, and file issues - especially on the crypto.

Comments

No comments yet. Start the discussion.