How can I use my own secret in V4

[oSethoum]

Hi, am new to paseto and I have been using jwt for a while, am switching to paseto for the reason that the claims are encrypted ( if i got it right ), am stuck in finding a way to use V4Symmetric encryption with my own secret also How can I verify it and extract the claims?

[oSethoum]

found it, it's really easy and straight forward
UPDATE: not an answer

package main

import (
	"fmt"
	"time"

	"aidanwoods.dev/go-paseto"
)

func main() {
       // producing token
        token := paseto.NewToken()
	token.SetExpiration(time.Now().Add(time.Hour * 12))
	token.SetString("access", "products:view-many")
        key := paseto.NewV4SymmetricKey()
        t := token.V4Encrypt(key, []byte("secret"))

       // validating token
       vtoken, err := paseto.NewParser().ParseV4Local(key, t, []byte("secret"))
      if err != nil {
            panic(err)
      } else {
           println(vtoken.GetString("access"))
     }
}

[aidantwoods]

Just make sure to save the key somewhere for later use if using NewV4SymmetricKey (which generates a new key each time) 🙂

[aidantwoods]

The place you've currently put []byte("secret") isn't the key that'll be used for encryption, rather it's the "implicit string" feature of PASETO.

If you're wanting to use your own bytes, the constructor you want is V4SymmetricKeyFromBytes for the symmetric key. Though make sure that the source bytes are 32 random bytes (and not just a password like string).

Going back to the implicit feature: this is mainly intended for domain separation (e.g. if you use the same key for multiple different things, you can make sure that tokens used for different things can't be mixed up by setting a different implicit string).

The implicit string can be secret, but it doesn't have to be. It's not filling the same role as the key 🙂

[oSethoum]

@aidantwoods Thanks a lot for the kind answer.