paseto VS paseto-spec

Might I suggest Paseto (https://paseto.io/) - it solves a lot of the headaches of JWT. Signing and encryption are two different things that require two different sets of keys, so you can't mess it up.

(Full disclosure, I've written one implementation: https://github.com/auth70/paseto-ts)

Though we'll be building a session-based authentication system, it's noteworthy that with the introduction of some concepts which will be discussed in due time, you can turn it into JWT- or, more securely and appropriately, PASETO-based authentication system.

Time we ditch it and use paseto

The PASETO web site goes over it. Mostly it's designed to make you do things the right way and avoid all the security holes you can fall into with JWT.

If this is too much to handle, you shouldn't have to! There's already solutions that handle it for you

Another signcryption scheme as described in the article is also implemented by the libsodium author as an extension:

https://github.com/jedisct1/libsodium-signcryption

It's unclear from the article if this is the same algorithm age uses.

Signcryption schemes are also a good candidate algorithm for replacing JWTs and PASETO as they suffer from no algorithm confusion, and don't need what PASETO calls "Algorithm Lucidity" and serve both plaintext authentication, authenticated encryption, sender receiver verification, and shared key generation that can be used for unlimited encrypted streaming, for example with libsodium's crypto_secretstream API.

https://doc.libsodium.org/secret-key_cryptography/secretstre...

https://github.com/paseto-standard/paseto-spec/blob/master/d...

The rationale for V3/V4 may be of particular interest for this forum.

Whether you're curious or skeptical, we believe in transparency, so the detailed rationale for these exact changes in V3/V4 is available here.