// the find
o1egl/paseto
Platform-Agnostic Security Tokens implementation in GO (Golang)
A Go implementation of PASETO tokens — essentially JWT's more opinionated cousin that eliminates algorithm confusion attacks by baking the crypto choices into versioned protocols. If you're building auth for Go microservices and are tired of JWT footguns, this is the drop-in replacement. The API surface is small and intentional.
Only implements v2 local (XChaCha20-Poly1305) and v2 public (Ed25519), so you can't accidentally pick a broken algorithm. The Parse() helper handles multi-version token routing cleanly, which is useful during key rotation. Benchmarks are included and the numbers are reasonable — 8µs for symmetric encrypt/decrypt on real hardware. Ed25519 key generation delegates to the stdlib, so there's no custom crypto to audit.
Stale since February 2023 and only supports v1/v2; PASETO v3 and v4 (released in 2021–2022) are not implemented, which is a real gap since v4 is the current recommended version. 939 stars and 39 forks for a three-year-old security library with no active maintenance is a warning sign — you're adopting something you'll likely need to fork. The flat package layout (everything in the root) makes it awkward to import selectively. No support for PASERK (the key-wrapping companion spec), so key management is entirely your problem.