authia 0.3.4

High-performance JWT verification library for Ed25519 using WebAssembly
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

# Security Policy


## Supported Versions


| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |

## Reporting a Vulnerability


If you discover a security vulnerability in authia, please report it by emailing the maintainers directly. **Do not open a public issue.**

### What to Include


When reporting a vulnerability, please include:

1. A description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact
4. Any suggested fixes (if applicable)

### Response Time


- We will acknowledge receipt of your vulnerability report within 48 hours
- We will provide a detailed response within 7 days
- We will work on a fix and release a patch as soon as possible

## Security Considerations


### Algorithm Fixed to Ed25519


authia only supports Ed25519 signatures. This prevents algorithm confusion attacks where an attacker might try to use a different algorithm (e.g., "none" or "HS256") to bypass signature verification.

### No Dynamic Algorithm Selection


The library does not trust the `alg` field in the JWT header. It always verifies using Ed25519, regardless of what the token claims.

### Strict Claim Validation


All required claims (iss, aud, exp, iat, type) are validated. Missing or invalid claims result in verification failure.

### Constant-Time Operations


The ed25519-dalek library used for signature verification implements constant-time operations to prevent timing attacks.

## Best Practices


When using authia in your application:

1. **Store keys securely**: Never commit private keys to version control
2. **Use environment variables**: Store public keys in environment variables
3. **Validate all claims**: Always specify issuer and audience in verification options
4. **Handle errors properly**: Check error codes and respond appropriately
5. **Keep dependencies updated**: Regularly update authia and its dependencies
6. **Use HTTPS**: Always transmit JWTs over secure connections
7. **Implement token rotation**: Use refresh tokens and implement token versioning

## Known Limitations


- authia only verifies tokens; it does not issue them
- Only Ed25519 algorithm is supported (by design)
- Token revocation must be implemented at the application level