Navigation

    FusionAuth
    • Login
    • Search
    • Home
    • Categories
    • Recent
    • Popular

    Does FusionAuth support paseto tokens?

    Q&A
    paseto token
    0
    4
    42
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dan
      dan last edited by dan

      Does FusionAuth support paseto tokens? JWTs have some settings which can be insecure ("alg":"none), whereas Pasetos are secure by default.

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      • dan
        dan last edited by

        No, currently FusionAuth does not support paseto tokens. We do have an open feature request in our issue tracker, though.

        Please upvote it if this is important to you.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • V
          voidmain last edited by

          In my opinion, JWTs aren't insecure by default. Rather, they have the ability to be insecure via the none algorithm, while in practice, no one ever uses the none algorithm and FusionAuth doesn't even support it. In most cases, JWTs are only signed and there is an entirely separate specification for encryption, which is quite complex.

          Paseto on the other hand is always secure via signing or encryption. Having signing and encryption baked into a simpler specification is a plus. That doesn't necessarily mean that JWTs are bad though. And certainly FusionAuth's support for JWTs is always secure via signing.

          1 Reply Last reply Reply Quote 2
          • dan
            dan last edited by

            Also, if you are interested in building a more secure JWT, this article may be of interest: https://fusionauth.io/learn/expert-advice/tokens/building-a-secure-jwt/

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post