Expand description
Amora is a secure token inspired by JWT and Branca, but enhanced a bit in some areas.
Key features:
- Can contain any type of payload: JSON, msgpack, cbor and so on…
- Always encrypted and authenticated using XChaCha20-Poly1305 algorithm.
- There are two versions of Amora:
- Amora zero: encrypted with a 32-byte symmetric key.
- Amora one: encrypted with a 32-byte asymmetric key.
- Encoded using url-safe base64.
- Always contain token generation time and TTL.
§Amora structure
- header (4 bytes for Amora zero; 36 bytes for Amora one):
- version marker: 0xa0 or 0xa1 (1 byte)
- TTL (3 bytes; little-endian)
- randomly generated public key (32 bytes; Amora one only)
- nonce (24 bytes)
- token generation time (first 4 bytes; little-endian)
- randomly generated 20 bytes
- payload (any length)
- message authentication code (4 bytes)
§Token generation time (TGT) + TTL
TGT is an unsigned 32-bit int. It’s a number of seconds starting from the Unix epoch on January 1, 1970 UTC. This means that Amora tokens will work correctly until the year 2106.
TTL is an unsigned 24-bits int. It means that each token can be valid for a maximum of 194 days.
§Asymmetric encryption
The shared key is computed using the X25519 function. It requires two pairs of priv/pub keys. The first pair must be known. The second pair is randomly generated for each token.