paragonie-security
commented
1 month ago We went with JSON because it was convenient, especially for developers that would otherwise reach for JWTs.
Other encodings are tentatively permitted by the spec, should anyone care to specify them. We even called out v3c / v4c as a potential header for "CBOR".
But we don't use anything other than JSON in our own projects, so we haven't felt a need to specify it.
Should PASETO be agnostic to the formatting of the payload? Is there a strong reason why JSON payloads are preferred?