PASETO vs JWT vs Branca — Token Format Comparison
Compare PASETO, JWT, and Branca token formats by structure, cryptography, ecosystem maturity, and the use cases each one fits best.
Detailed Explanation
JWT, PASETO, and Branca are the three most common bearer-token formats with attached claims. Each makes different trade-offs.
JWT (RFC 7519):
The incumbent. JSON header + JSON payload + Base64url, signed or encrypted via JOSE. Massive ecosystem support — every major auth vendor speaks it, and OAuth 2.0/OIDC mandate it. Downsides: alg negotiation has been a persistent source of vulnerabilities, and the JWS/JWE family is large and confusing.
PASETO:
A reaction to JWT's footguns. Versioned crypto suites (no algorithm negotiation), ISO 8601 timestamps, optional authenticated footer, optional implicit assertions. Smaller ecosystem than JWT but solid library support in major languages. Recommended default for greenfield internal systems.
Branca:
The most opinionated and minimal of the three. A Branca token is always XChaCha20-Poly1305 encrypted, always has a 24-byte nonce + 4-byte timestamp + ciphertext + 16-byte tag layout, and is encoded in Base62 rather than Base64. Payload is opaque bytes — Branca makes no claim about JSON or any structure inside the payload. Tiny libraries, very simple to audit.
Side-by-side:
| Aspect | JWT | PASETO | Branca |
|---|---|---|---|
| Symmetric mode | JWE (multiple options) | v*.local | Built-in (only mode) |
| Asymmetric mode | JWS (many algs) | v*.public | None |
| Algorithm choice | Per-token alg header |
Per-version | Fixed |
| Payload format | JSON only | JSON only | Opaque bytes |
| Encoding | Base64url | Base64url | Base62 |
| Timestamp built-in | No (in claims) | No (in claims, ISO 8601) | Yes (4-byte epoch) |
| Standardization | RFC | Spec on GitHub | Spec on GitHub |
When to use each:
- JWT — when you must integrate with OAuth 2.0, OIDC, or identity vendors that require it.
- PASETO — when you control both ends and want JWT-like ergonomics without JWT's footguns. Good for service-to-service tokens.
- Branca — when you want the simplest possible encrypted bearer-token format and you're comfortable defining your own payload schema. Great for cookies, opaque session tokens, single-trust-domain systems.
You can also mix: PASETO at the user-facing edge, Branca for internal session cookies, JWT to talk to third-party identity providers.
Use Case
A team evaluates token formats for a new internal API mesh and chooses PASETO v4 for inter-service tokens, retains JWT at the OAuth boundary, and uses Branca for opaque session cookies — each format playing to its strengths.