Authenticated and encrypted API tokens using modern crypto.
Branca is a secure easy to use token format which makes it hard to shoot yourself in the foot. It uses IETF XChaCha20-Poly1305 AEAD symmetric encryption to create encrypted, tamperproof and URL safe tokens.
Secure by design
Easy to implement
Tamperproof
You choose the payload
Install the library either with yarn or npm. You must provide the library with 32 byte secret key. As the name suggest this key should be kept secret. Never commit the key to GitHub or otherwise leak it. The code below uses a JSON string as an example payload.
$ yarn add branca
$ npm install branca
const key = crypto.randomBytes(32);
const branca = require("branca")(key);
const json = JSON.stringify({
"user" : "someone@example.com",
"scope" : ["read", "write", "delete"]
});
const token = branca.encode(json);
const payload = branca.decode(token);
console.log(token);
console.log(JSON.parse(payload));
Install the library with composer. Pass the 32 byte secret key to the constructor. As the name suggest this key should be kept secret. Never commit the key to GitHub or otherwise leak it. The code below uses a JSON string as an example payload.
$ composer require tuupola/branca
use Branca\Branca;
$key = random_bytes(32);
$branca = new Branca($key);
$json = json_encode([
"user" => "someone@example.com",
"scope" => ["read", "write", "delete"]
]);
$token = $branca->encode($json);
$payload = $branca->decode($token);
print_r($token);
print_r(json_decode($payload, true));
Install the library pip. Note that you also must have libsodium installed. Pass the 32 byte secret key to the constructor. As the name suggest this key should be kept secret. Never commit the key to GitHub or otherwise leak it. The code below uses a JSON string as an example payload.
$ brew install libsodium
$ pip install pybranca
import json
import secrets
from branca import Branca
key = secrets.token_bytes(32)
branca = Branca(key)
string = json.dumps({
"user" : "someone@example.com",
"scope" : ["read", "write", "delete"]
})
token = branca.encode(string)
payload = branca.decode(token)
print(token)
print(payload)
Add the dependencies to mix.exs
and install dependencies. The
secret key goes to config/config.exs
. As the name suggest this key
should be kept secret. Never commit the key to GitHub or otherwise leak it. The code below uses a JSON
string as an example payload.
# mix.exs
...
defp deps do
[
{:poison, "~> 3.1"},
{:branca, "~> 0.2.0"}
]
end
$ mix deps.get
# config.exs
...
config :branca, key: "supersecretkeyyoushouldnotcommit"
json = Poison.encode!(%{
"user" => "someone@example.com",
"scope" => ["read", "write", "delete"]
})
token = Branca.encode!(json)
payload = Branca.decode!(token)
inspect(token)
inspect(Poison.decode!(json))