{"id":37122883,"url":"https://github.com/ericchiang/go-past","last_synced_at":"2026-01-14T14:12:05.876Z","repository":{"id":145909975,"uuid":"116344186","full_name":"ericchiang/go-past","owner":"ericchiang","description":"Go implementation of Platform-Agnostic Security Tokens","archived":true,"fork":false,"pushed_at":"2018-01-05T18:10:32.000Z","size":15,"stargazers_count":22,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2023-03-23T04:58:03.620Z","etag":null,"topics":["go","golang","jwt"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ericchiang.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-01-05T05:03:37.000Z","updated_at":"2024-06-19T09:09:20.568Z","dependencies_parsed_at":null,"dependency_job_id":"6d18dcad-f261-441a-b227-4d220e02be0d","html_url":"https://github.com/ericchiang/go-past","commit_stats":null,"previous_names":[],"tags_count":0,"template":null,"template_full_name":null,"purl":"pkg:github/ericchiang/go-past","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericchiang%2Fgo-past","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericchiang%2Fgo-past/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericchiang%2Fgo-past/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericchiang%2Fgo-past/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ericchiang","download_url":"https://codeload.github.com/ericchiang/go-past/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericchiang%2Fgo-past/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28422408,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T13:30:50.153Z","status":"ssl_error","status_checked_at":"2026-01-14T13:29:08.907Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","jwt"],"created_at":"2026-01-14T14:12:05.294Z","updated_at":"2026-01-14T14:12:05.868Z","avatar_url":"https://github.com/ericchiang.png","language":"Go","readme":"# go-past\n\n[![GoDoc](https://godoc.org/github.com/ericchiang/go-past/past?status.svg)](https://godoc.org/github.com/ericchiang/go-past/past)\n[![Build Status](https://travis-ci.org/ericchiang/go-past.svg?branch=master)](https://travis-ci.org/ericchiang/go-past)\n\nA Go implementation of [Platform-Agnostic Security Tokens (PAST)][past], [_\"a secure alternative to JWT.\"_][hacker-news]\n\n## Warning\n\nThis package still needs to be check for conformance against the original PHP implementaiton.\n\nThis package may change in the future, hasn't been audited, isn't thoroughly tested, and hasn't been fuzzed. Proceed with caution.\n\n## PAST\n\nPAST is a JWT alternative for authenticating, signing, and encrypting payloads into URL frendly tokens. As opposed to JWTs which require parsing a complex header to determine the signature algorithm, PAST token headers only hold a version and an operation. For example the following token uses PAST `v2` to authenticate (`auth`) a message.\n\n```\nv2.auth.ewogICJkYXRhIjogInRoaXMgaXMgYW4gYXV0aGVudGljYXRlZCBtZXNzYWdlIiwKICAiZXhwIjogIjIwMzktMDEtMDFUMDA6MDA6MDAiCn3OF39sdzCcOyUiVSSQwRfGoauVG5Xt9eZc45k31wdxjA\n```\n\n`v2.auth.` indicates that this token is authenticated with a symmetric key using HMAC-SHA512. The payload is a plain text and a MAC.\n\nThe map of versions and operations to algorithms can be found here: https://github.com/paragonie/past/tree/master/docs/01-Protocol-Versions\n\n## Usage\n\nGiven a symmetric key and a payload, a user can construct an authenticated message encoded as a PAST token.\n\n```go\nkey, err := past.NewKey()\nif err != nil {\n    // Handle error\n}\n\npayload := []byte(`{\n  \"data\": \"this is an authenticated message\",\n  \"exp\": \"2039-01-01T00:00:00\"\n}`)\n\ntoken, err := past.V2.Auth(key, payload)\nif err != nil {\n    // Handle error\n}\nfmt.Printf(\"%x\\n\", key)\nfmt.Println(token)\n```\n\nThe program above prints the generated authentication key and the PAST token.\n\n```\ne0ea39822d1b9fa67da2c63dd51b47892f66a1e80d14a40fb3d96dc0ab839fbd\nv2.auth.ewogICJkYXRhIjogInRoaXMgaXMgYW4gYXV0aGVudGljYXRlZCBtZXNzYWdlIiwKICAiZXhwIjogIjIwMzktMDEtMDFUMDA6MDA6MDAiCn3OF39sdzCcOyUiVSSQwRfGoauVG5Xt9eZc45k31wdxjA\n```\n\nThe key can be used at a later time to verify the token.\n\n```\nkey, _ := hex.DecodeString(\"e0ea39822d1b9fa67da2c63dd51b47892f66a1e80d14a40fb3d96dc0ab839fbd\")\n\ntoken := \"v2.auth.ewogICJkYXRhIjogInRoaXMgaXMgYW4gYXV0aGVudGljYXRlZCBtZXNzYWdlIiwKICAiZXhwIjogIjIwMzktMDEtMDFUMDA6MDA6MDAiCn3OF39sdzCcOyUiVSSQwRfGoauVG5Xt9eZc45k31wdxjA\"\n\npayload, err := past.V2.AuthVerify(key, token)\nif err != nil {\n    // Handle error\n}\nfmt.Printf(\"%s\\n\", payload)\n```\n\nThe program above prints the original payload.\n\n```\n{\n  \"data\": \"this is an authenticated message\",\n  \"exp\": \"2039-01-01T00:00:00\"\n}\n```\n\nThe package also supports signing with an asymmetric key and encrypted authentication with a symmetric key.\n\n## Missing features\n\nThis implementation is missing the following features:\n\n* `v1.sign` (RSASSA-PSS) - PAST requires specifying the mask length, which Go doesn't expose directly\n* `v2.enc` (XChaCha20-Poly1305) - no XChaCha20 implementation in golang.org/x/crypto (only straight ChaCha20)\n* Footer data\n\n## Implementer experience report\n\nCurrently, PAST is more of a [documented PHP library than a specification][past-9]. Many of the implementation details require reading the source code, while certain aspects are extremely PHP specific (for example the [pre-authentication encoding (PAE)][pae] just describes performing PHP's [`pack('P', n)`][pack]).\n\nAspects of PAST can be complex at times. `v1.enc`'s use of HKDF to derive keys and the pre-authentication encoding seralization are good examples of this. Though PAST is more straight forward than a JWT, cookbooks like [`gtank/cryptopasta`][cryptopasta] might also be of interest for users looking for simpler strategies.\n\n[past]: https://github.com/paragonie/past\n[past-9]: https://github.com/paragonie/past/issues/9#issuecomment-355487843\n[hacker-news]: https://news.ycombinator.com/item?id=16070394\n[pae]: https://github.com/paragonie/past/blob/v0.2.0/docs/01-Protocol-Versions/Common.md#pae-definition\n[pack]: https://secure.php.net/manual/en/function.pack.php\n[cryptopasta]: https://github.com/gtank/cryptopasta\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fericchiang%2Fgo-past","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fericchiang%2Fgo-past","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fericchiang%2Fgo-past/lists"}