There are two types (or “purposes”) of PASETO tokens: local and public. Local tokens are encrypted with a shared key, whereas public tokens are signed with a public key pair, but NOT encrypted. In other words, anyone can read a public token, and only parties with the secret key can read local tokens.
The PASETO token format has two different versions:
- v1 is a compatibility mode, which is ideal for legacy systems and uses cryptographic primitives that are wildly available today.
- v2 is the recommended option, which uses the latest cryptographic primitives.
When you put this all together in a string, the format looks like this:
Or, with the optional footer:
version.purpose.payload.footer
For example, a v1.local token looks like this:
v1.local.CuizxAzVIz5bCqAjsZpXXV5mk_WWGHbVxmdF81DORwyYcMLvzoUHUmS_VKvJ1hn5zXyoMkygkEYLM2LM00uBI3G9gXC5VrZCUM-BLZo1q9IDIncAZTxYkE1NUTMz