Closed anweiss closed 3 years ago
There's actually two components to PASETO:
You can pull out just Version1 and Version2 and use them for arbitrary text. We just built a token API on top of them in PASETO proper.
Alternatively: drop everything into a footer if you're only using v2.public (which uses Ed25519), since those are arbitrary data.
@paragonie-scott in your second example where everything is dropped into a footer if only v2.public is used, is it assumed that the message, m
, is therefore empty and the footer, f
, houses the arbitrary data? As written, the spec seems to require a message, m
and only the footer, f
, is optional. Thus the message format becomes as follows:
version.purpose.footer
@anweiss The message
part contains the signature and/or MAC, so it's not possible to have an empty message there.
I'm going to close this. If you still have a question, please let us know.
https://github.com/paseto-standard/paseto-spec is where the specification lives now
In its current state, can paseto be used to simply sign arbitrary payloads ... e.g. generic JSON or any base64 encoded value? Looking for an alternative to JWS and came across paseto, but it seems to be primarily focused on claims and an alternative to JWTs.