Have you considered Paseto instead of JWT?

[nikgraf]

I saw you using JWTs and was wondering if you looked into Paseto https://paseto.io/

[dmonad]

Thanks for the hint. I didn't know about paseto. I appreciate that, unlike jwt, paseto only allows cryptographic methods that are deemed secure. That was my plan as well, by basically only supporting JWT with ECDSA over P384. Which is.. exactly what paseto v3 specifies. Neat!

So yeah, I'll eventually add paseto support as well and switch to paseto in my other projects.

What I dislike about JWT and Paseto is that they use JSON encoding and work over base64 encoded strings. Which is just weird if you work on a binary protocol.

Another approach that I've been thinking about is to implement a binary-encoded JWT-alternative that encodes data using lib0/encoding or any-encoding (my binary alternative to JSON that I use in Yjs). But who needs another standard..

[nikgraf]

Oh man I feel you regarding the binary protocol issue :( Probably I would also avoid creating another standard especially if you consider the token to be processed in other environments.

But glad I could point you in an interesting direction :)