You've completely missed my point. I don't even accept the premise of the JWT standard. But the eventual migration to safer default settings, in a format that continues to expend implementation effort to support settings nobody should use, is in fact a practical engineering problem with the standard.

▲

ForHackernews 4 hours ago | parent [-]

And they've published updates[0] and libraries have hardened their defaults and removed support for insecure values (e.g. alg='none'). I'm not sure what more you want?

I'd rather use a refined, battle-tested standard with lots of eyes on it than some new untested contender produced by a handful of upstarts ("look, we just designed it right from the beginning! This time it's perfect!") PASETO reeks of second-system syndrome.

[0] https://www.rfc-editor.org/info/rfc8725/

▲

tptacek 3 hours ago | parent [-]

I don't recommend PASETO either.

▲

doc_ick 2 hours ago | parent [-]

What do you recommend then? What technology has been designed, completed, then used for years without any updates or problems?

	▲	kasey_junk an hour ago \| parent \| next [-]
		Bearer tokens are a dead end? You have to validate them anyway so traditional auth is the fallback.
	▲	tptacek an hour ago \| parent \| prev [-]
		https://fly.io/blog/api-tokens-a-tedious-survey/ tl;dr: most of the time you should use opaque random strings.