Branca is a secure easy to use token format which makes it hard to shoot yourself in the foot. It uses IETF XChaCha20-Poly1305 AEAD symmetric encryption to create encrypted and tamperproof tokens. Payload itself is an arbitrary sequence of bytes. You can use for example a JSON object, plain text string or even binary data serialized by MessagePack or Protocol Buffers. It is possible to use Branca as an alternative to JWT.
Install the library using Yarn or npm.
$ yarn add branca
$ npm install branca
The token is encrypted using a 32 byte secret key. As the name implies this key should be kept a secret. Do not commit it to version control nor make it publicly available.
You can pass the secret key either as an instance of Buffer or a hex encoded string.
const key = crypto.randomBytes(32);
const branca = require("branca")(key);
const key = "7ed049e344f73f399ba1f7868cf9494f4b13347ecce02a8e463feb32507b73a5";
const branca = require("branca")(key);
While technically possible, you should not use human readable strings as the secret key. Instead always generate the key using cryptographically secure random bytes. You can do this, for example, from commandline with Node.js itself or openssl.
$ node
Welcome to Node.js v16.2.0.
Type ".help" for more information.
> crypto.randomBytes(32).toString("hex")
'46cad3699da5766c45e80edfbf19dd2debc311e0c9046a80e791597442b2daf0'
$ openssl rand -hex 32
29f7d3a263bd6fcfe716865cbdb00b7a317d1993b8b7a3a5bae6192fbe0ace65
To keep things simple, rest of the examples generate the secret key on the fly. In real life the application would load the secret key from external key store. External here meaning outside of the application code. How to store and load secret keys in beyond the scope of this library.
Token payload can be any arbitrary data such as a string containing an email address.
/* 32 byte secret key */
const crypto = require("crypto");
const key = crypto.randomBytes(32);
const branca = require("branca")(key);
const token = branca.encode("tuupola@appelsiini.net");
console.log(token);
/*
n8EWZ6msHPjbUPLfezL7g00RBNDvHZ37Or4aGeIWqPjUj0Sht41dasPgQgmEl3UsV4JKS4kZtEiZ6V54JYtYJRhtH8
*/
const payload = branca.decode(token);
console.log(payload.toString());
/* tuupola@appelsiini.net */
Sometimes you might prefer JSON.
/* 32 byte secret key */
const crypto = require("crypto");
const key = crypto.randomBytes(32);
const branca = require("branca")(key);
const json = JSON.stringify({"scope": ["read", "write", "delete"]});
const token = branca.encode(json);
console.log(token);
/*
5R9kHEyH57WbQhy0Ba3NwPYu0pFlAv45jOIsmUdvHs0HAVX3CzNw90DtXs60UwjwfYopZ1NvO11GkEQTjumMIZYuCcawnoztFsexGlHoFKGX
*/
const payload = JSON.parse(branca.decode(token));
console.log(payload);
/* { scope: [ 'read', 'write', 'delete' ] } */
You can keep the token size small by using a space efficient serialization method such as MessagePack or Protocol Buffers.
/* 32 byte secret key */
const crypto = require("crypto");
const key = crypto.randomBytes(32);
const branca = require("branca")(key);
const msgpack = require("msgpack5")();
const packed = msgpack.encode({"scope": ["read", "write", "delete"]});
const token = branca.encode(packed);
console.log(token);
/*
2EZpow8Nwk6Z9UxMel3kzFUe5boHV480zwkZDp6hNgaatnOCt4YbqgCRICKnm7IfJgxzQpT9eYdrTzyb
*/
const binary = branca.decode(token);
const payload = msgpack.decode(Buffer.from(binary));
console.log(payload);
/* { scope: [ 'read', 'write', 'delete' ] } */
You can run tests manually with the following command.
$ node test.js
Please see CONTRIBUTING for details.
If you discover any security related issues, please email tuupola@appelsiini.net instead of using the issue tracker.
The MIT License (MIT). Please see License File for more information.
FAQs
Authenticated and encrypted API tokens using modern crypto
The npm package branca receives a total of 413 weekly downloads. As such, branca popularity was classified as not popular.
We found that branca demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Newly introduced telemetry in devenv 1.4 sparked a backlash over privacy concerns, leading to the removal of its AI-powered feature after strong community pushback.
Security News
TC39 met in Seattle and advanced 9 JavaScript proposals, including three to Stage 4, introducing new features and enhancements for a future ECMAScript release.
Security News
Deno 2.2 enhances Node.js compatibility, improves dependency management, adds OpenTelemetry support, and expands linting and task automation for developers.