PASETO v4.public Basics

v4.public is the recommended modern PASETO format for signed, asymmetric tokens. The cryptography is fixed by the version: every v4.public token uses Ed25519 signatures over a JSON payload, with an optional authenticated (but never encrypted) footer.

Wire format:

A v4.public token has the shape:

v4.public.<base64url(payload || signature)>[.<base64url(footer)>]

The middle segment, after Base64url-decoding, is the UTF-8 JSON payload concatenated with a 64-byte Ed25519 signature. The signing function takes the payload, the version+purpose header (v4.public), and the optional footer as pre-authentication encoding (PAE) input — meaning a forger can't move bytes between the header, payload, and footer to produce a different valid token.

What goes in the payload:

The payload is plain JSON — same reserved claims as JWT (iss, sub, aud, exp, iat, nbf, jti), but with a critical difference: PASETO uses ISO 8601 timestamps ("exp": "2026-01-01T00:00:00Z") rather than Unix seconds. This makes payloads more human-readable and timezone-explicit.

Why public over local:

Public mode is the right choice whenever the issuer and verifier are different parties — for example, an authentication service issuing tokens that downstream microservices must independently verify. The verifier only needs the public key, never the private key. For service-to-service tokens where one process both issues and consumes, v4.local (symmetric) is more efficient because there's no asymmetric crypto to perform.

Comparison with JWT RS256/EdDSA:

A v4.public token is roughly comparable to a JWT signed with EdDSA (Ed25519). The key differences: PASETO doesn't have the algorithm-confusion attack surface (the alg is locked by the version), the timestamp format is ISO 8601 not numeric, and the structure is simpler (no nested header JSON). Library support for v4 is excellent in Rust, Go, Node, Python, and PHP.