🔐 A secure alternative to JWT, using AES-256-GCM encryption and Ed25519 digital signatures for authentication and authorization.
R-Secure-Token provides a high-security approach for token generation and verification, ensuring tamper-proof and encrypted payloads.
✅ AES-256-GCM Encryption – Strong encryption for payload security.
✅ Ed25519 Signatures – Prevents forgery and tampering.
✅ Replay Attack Prevention – Unique nonce per token.
✅ JWT Alternative – Secure and stateless authentication.
✅ High Performance – Optimized for speed and security.
Install via NPM:
npm install r-secure-tokenor with Yarn:
yarn add r-secure-tokenimport { RSecureToken } from 'r-secure-token';
(async () => {
const tokenService = new RSecureToken();
const payload = { data: { userId: 123 }, exp: Date.now() + 60000 }; // 1-minute expiry
const tokenData = await tokenService.generateToken(payload);
console.log('Token:', tokenData.token);
console.log('Signature:', tokenData.signature);
})();import { RSecureToken } from 'r-secure-token';
(async () => {
const tokenService = new RSecureToken();
const { token, signature } = /* Token received from user */;
const verifiedPayload = await tokenService.verifyToken(token, signature);
if (verifiedPayload) {
console.log('Valid Token:', verifiedPayload);
} else {
console.log('Invalid or Expired Token!');
}
})();- Encrypts the payload using AES-256-GCM.
- Generates a secure nonce for each token.
- Signs the encrypted token using Ed25519.
- Checks the Ed25519 signature for authenticity.
- Decrypts the token using AES-256-GCM.
- Validates token expiration.
| Feature | JWT (JSON Web Tokens) | R-Secure-Token |
|---|---|---|
| Encryption | ❌ No built-in encryption | ✅ AES-256-GCM |
| Signature Type | RSA / HMAC / ECDSA | ✅ Ed25519 |
| Tamper Protection | ✅ Yes | ✅ Yes |
| Readable Payload | ❌ Exposed (Base64-encoded JSON) | ✅ Encrypted |
| Replay Attack Resistance | ❌ None | ✅ Unique nonce per token |
| Verification Type | Requires shared secret (HMAC) or public-private keypair | ✅ Uses asymmetric cryptography |
Creates a new instance of RSecureToken. If no secret key is provided, a random one is generated.
Creates a secure, signed token.
-
payload(object) – The data to include in the token, including anexp(expiration timestamp).
{
token: string; // Encrypted token
signature: string; // Ed25519 signature
}Verifies and decrypts the token if valid.
-
token(string) – The encrypted token. -
signature(string) – The digital signature for verification.
- Valid: Returns the decrypted payload object.
-
Invalid: Returns
null.
Example Response:
{
data: { userId: 123 },
exp: 1700000000000
}🔹 Store Secret Keys Securely: Never hardcode them in your source code. Use environment variables or a secure key management system.
🔹 Rotate Keys Periodically: Regularly update encryption and signing keys to minimize security risks.
🔹 Use Short-Lived Tokens: Prevent token abuse by setting short expiration times (exp).
🔹 Avoid Token Storage in Local Storage: Instead, store tokens in HTTP-only cookies or secure storage solutions.
This project is licensed under the MIT License.
👨💻 Contributions are welcome! Feel free to submit pull requests or report issues on GitHub.
📧 Need Help? Open an issue or contact us!