🔑 Paseto.NET, a Paseto (Platform-Agnostic Security Tokens) implementation for .NET
PASETO protocols
purpose | v1 | v2 | v3 | v4 |
---|---|---|---|---|
local | ✅ | ✅ | ✅ | ✅ |
public | ✅ | ✅ | ✅ | ✅ |
PASERK extension
type | support |
---|---|
lid | ✅ |
local | ✅ |
seal | ❌ |
local-wrap | ❌ |
local-pw | ❌ |
sid | ✅ |
public | ✅ |
pid | ✅ |
secret | ✅ |
secret-wrap | ❌ |
secret-pw | ❌ |
Install the Paseto.Core NuGet package from the .NET CLI using:
dotnet add package Paseto.Core
or from the NuGet package manager:
Install-Package Paseto.Core
The library exposes a Fluent API with several method overloads found in Use()
, WithKey()
, AddClaim()
, AddFooter()
and so on to provide the flexibility needed for encoding and decoding PASETO tokens and also for generating the required symmetric or asymmetric key pairs. However, you can use the Protocols and Handlers directly if you like.
Below are a couple of examples for the most common use cases:
var pasetoKey = new PasetoBuilder().Use(version, Purpose.Local)
.GenerateSymmetricKey();
var pasetoKey = new PasetoBuilder().Use(version, Purpose.Public)
.GenerateAsymmetricKeyPair(seed);
NOTE: A seed is not required for protocol v1.
var token = new PasetoBuilder().Use(version, purpose)
.WithKey(key)
.AddClaim("data", "this is a secret message")
.Issuer("https://github.com/daviddesmet/paseto-dotnet")
.Subject(Guid.NewGuid().ToString())
.Audience("https://paseto.io")
.NotBefore(DateTime.UtcNow.AddMinutes(5))
.IssuedAt(DateTime.UtcNow)
.Expiration(DateTime.UtcNow.AddHours(1))
.TokenIdentifier("123456ABCD")
.AddFooter("arbitrary-string-that-isn't-json")
.Encode();
var result = new PasetoBuilder().Use(version, purpose)
.WithKey(key)
.Decode(token);
Or validate the token's payload while decoding (the header and signature is always validated):
var valParams = new PasetoTokenValidationParameters
{
ValidateLifetime = true,
ValidateAudience = true,
ValidateIssuer = true,
ValidAudience = "https://paseto.io",
ValidIssuer = "https://github.com/daviddesmet/paseto-dotnet"
};
var result = new PasetoBuilder().Use(version, purpose)
.WithKey(key)
.Decode(token, valParams);
The library also provides the PASERK extension for encoding and decoding a key.
A serialized key in PASERK has the format:
k[version].[type].[data]
var paserk = Paserk.Encode(pasetoKey, type);
var key = Paserk.Decode(paserk);