Sat. Nov 19th, 2022

There are two types (or “purposes”) of PASETO tokens: local and public. Local tokens are encrypted with a shared key, whereas public tokens are signed with a public key pair, but NOT encrypted. In other words, anyone can read a public token, and only parties with the secret key can read local tokens.
The PASETO token format has two different versions:

  • v1 is a compatibility mode, which is ideal for legacy systems and uses cryptographic primitives that are wildly available today.
  • v2 is the recommended option, which uses the latest cryptographic primitives.

When you put this all together in a string, the format looks like this:
Or, with the optional footer:
For example, a v1.local token looks like this: