rlittlefield
commented
4 years ago It depends on what you want to do. If you are creating a payload that only your own servers need to read, but you are giving them to the user to hold onto, then you would just use the "local" token types in paseto. This is both encrypted and authenticated. This is great for something like a "password reset", where you send them a token instead of writing a row to the database.
If you are using paseto to authenticate a user request, or for something between services, you could use the "public" option. These are not encrypted, but they are signed using the private key. The private key should be kept secret by whoever is going to create the payload. The public key should be available for anyone who needs to verify that the content was created by the person with the private key. If your server is the one making the payload, then you don't need to generate more than one key, because your users can use the same public key to validate. If your users are each generating their own payloads and you need to verify them, such as to authenticate some aspect of a request, they will each need their own private keys, and you would need to save the public keys of each user in a database or something. I can't really help too much with the actual details of your design, but hopefully this is enough for you to look into some additional research on the topic.
Good luck! (and sorry for the very late response. I don't think my github notifications have been working quite right)
Hello.I am trying to migrate a rest api I have in Eve to use paseto(Just for demonstration not for production usage).I am no crypto expert so my question might be stupid.I want for every user that logins through my api to sign a new paseto token.From your example I see that for public purpose token I need to generate a pair of keys(public,private).Now I want to know If I need to create a different pair of keys that signs in through my api