How do I replace JWT in Laravel Sanctum with PASETO?

Extend Sanctum’s `PersonalAccessToken` model to use PASETO’s `Paseto` class for token creation and validation. Override the `createToken` method to generate v4.local tokens with your encryption key from `config/encryption.php`. Ensure your API middleware checks tokens via a custom guard or by validating the PASETO signature before processing requests.

Does PASETO work with Laravel Passport for OAuth2?

Yes, but you’ll need to customize Passport’s `TokenRepository` to issue PASETO tokens instead of JWTs. Replace the `createAccessToken` method to use `Paseto::local()` or `Paseto::public()` with your configured keys. Store tokens in the `oauth_access_tokens` table as strings, and validate them using PASETO’s built-in methods in your auth middleware.

What Laravel versions support paragonie/paseto?

PASETO v3/v4 works with Laravel 8.x+ (PHP 8.1+) and Laravel 9.x+. For older Laravel versions (7.x), use PASETO v2, but note it requires PHP 7.1+. Always test in staging first, as some Laravel auth packages may need minor adjustments for token parsing or validation logic.

How do I handle key rotation for PASETO in Laravel?

Use PASETO’s `KeyRing` class to manage multiple keys during rotation. Store keys in `config/encryption.php` or a secure secrets manager. During migration, ensure overlapping keys are active to validate tokens signed with either key. For Laravel Sanctum, update the token generation logic to include the new key in the `KeyRing` before issuing tokens.

Can I use PASETO for session storage in Laravel?

Yes, PASETO’s v4.local tokens are ideal for encrypted session storage. Store tokens in the database (e.g., `sessions` table) or cache (Redis) as strings. Use `Paseto::local()->decrypt()` to validate and decode tokens when accessing session data. For Laravel’s built-in session driver, extend the `SessionGuard` to handle PASETO tokens.

What’s the performance impact of PASETO vs. JWT in Laravel?

PASETO v4 tokens (Sodium-based) are slightly slower than JWTs due to cryptographic overhead, but the difference is negligible for most APIs. Benchmark your specific use case, especially if using `sodium_compat` (adds ~100KB). For high-traffic APIs, cache parsed tokens in Redis to reduce validation latency during requests.

How do I migrate from JWT to PASETO in a Laravel app?

Start by replacing token issuance in a single endpoint (e.g., `/api/login`) using feature flags (`config('auth.use_paseto', false)`). Update Sanctum/Passport to dual-write tokens during migration, then gradually phase out JWT support. Use Laravel’s `config('auth.guards.api.driver')` to toggle between JWT and PASETO validation in middleware.

Are there Laravel-specific validation rules for PASETO tokens?

Yes, create a custom `PasetoValidator` class extending Laravel’s `Validator` to check token signatures, expiration, and footers. Register it in `AppServiceProvider` and use it in your API routes or form requests. For Sanctum, extend the `HasApiTokens` trait to include PASETO validation logic in the `validatePersonalAccessToken` method.

Can I use PASETO for API keys or service accounts in Laravel?

Absolutely. Generate v4.public tokens for stateless API keys (no encryption needed) or v4.local tokens for encrypted service accounts. Store keys in `config/services.php` or a secrets manager. Validate tokens in middleware using `Paseto::public()->verify()` or `Paseto::local()->decrypt()`, then attach the decoded payload to the request for authorization checks.

What alternatives exist if PASETO isn’t suitable for my Laravel app?

For JWT alternatives, consider `lcobucci/jwt` (with strict validation) or `firebase/php-jwt` (but avoid due to known vulnerabilities). For encrypted tokens, `defuse/php-encryption` offers AES-256 but lacks PASETO’s modern crypto standards. If you need compliance with existing systems, stick with JWT but enforce short-lived tokens and use PASETO only for new projects.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Paseto Laravel Package

paragonie/paseto

Reference PHP implementation of PASETO security tokens (v3/v4): safer alternative to JWT/JWE/JWS with modern crypto. Supports local and public tokens, includes PASERK integration for key serialization/wrapping, and works with Sodium (or sodium_compat).

View on GitHub

Deep Wiki

Context7

Platform-Agnostic Security Tokens

Frequently asked questions about Paseto

How do I replace JWT in Laravel Sanctum with PASETO?: Extend Sanctum’s `PersonalAccessToken` model to use PASETO’s `Paseto` class for token creation and validation. Override the `createToken` method to generate v4.local tokens with your encryption key from `config/encryption.php`. Ensure your API middleware checks tokens via a custom guard or by validating the PASETO signature before processing requests.
Does PASETO work with Laravel Passport for OAuth2?: Yes, but you’ll need to customize Passport’s `TokenRepository` to issue PASETO tokens instead of JWTs. Replace the `createAccessToken` method to use `Paseto::local()` or `Paseto::public()` with your configured keys. Store tokens in the `oauth_access_tokens` table as strings, and validate them using PASETO’s built-in methods in your auth middleware.
What Laravel versions support paragonie/paseto?: PASETO v3/v4 works with Laravel 8.x+ (PHP 8.1+) and Laravel 9.x+. For older Laravel versions (7.x), use PASETO v2, but note it requires PHP 7.1+. Always test in staging first, as some Laravel auth packages may need minor adjustments for token parsing or validation logic.
How do I handle key rotation for PASETO in Laravel?: Use PASETO’s `KeyRing` class to manage multiple keys during rotation. Store keys in `config/encryption.php` or a secure secrets manager. During migration, ensure overlapping keys are active to validate tokens signed with either key. For Laravel Sanctum, update the token generation logic to include the new key in the `KeyRing` before issuing tokens.
Can I use PASETO for session storage in Laravel?: Yes, PASETO’s v4.local tokens are ideal for encrypted session storage. Store tokens in the database (e.g., `sessions` table) or cache (Redis) as strings. Use `Paseto::local()->decrypt()` to validate and decode tokens when accessing session data. For Laravel’s built-in session driver, extend the `SessionGuard` to handle PASETO tokens.
What’s the performance impact of PASETO vs. JWT in Laravel?: PASETO v4 tokens (Sodium-based) are slightly slower than JWTs due to cryptographic overhead, but the difference is negligible for most APIs. Benchmark your specific use case, especially if using `sodium_compat` (adds ~100KB). For high-traffic APIs, cache parsed tokens in Redis to reduce validation latency during requests.
How do I migrate from JWT to PASETO in a Laravel app?: Start by replacing token issuance in a single endpoint (e.g., `/api/login`) using feature flags (`config('auth.use_paseto', false)`). Update Sanctum/Passport to dual-write tokens during migration, then gradually phase out JWT support. Use Laravel’s `config('auth.guards.api.driver')` to toggle between JWT and PASETO validation in middleware.
Are there Laravel-specific validation rules for PASETO tokens?: Yes, create a custom `PasetoValidator` class extending Laravel’s `Validator` to check token signatures, expiration, and footers. Register it in `AppServiceProvider` and use it in your API routes or form requests. For Sanctum, extend the `HasApiTokens` trait to include PASETO validation logic in the `validatePersonalAccessToken` method.
Can I use PASETO for API keys or service accounts in Laravel?: Absolutely. Generate v4.public tokens for stateless API keys (no encryption needed) or v4.local tokens for encrypted service accounts. Store keys in `config/services.php` or a secrets manager. Validate tokens in middleware using `Paseto::public()->verify()` or `Paseto::local()->decrypt()`, then attach the decoded payload to the request for authorization checks.
What alternatives exist if PASETO isn’t suitable for my Laravel app?: For JWT alternatives, consider `lcobucci/jwt` (with strict validation) or `firebase/php-jwt` (but avoid due to known vulnerabilities). For encrypted tokens, `defuse/php-encryption` offers AES-256 but lacks PASETO’s modern crypto standards. If you need compliance with existing systems, stick with JWT but enforce short-lived tokens and use PASETO only for new projects.

Popularity trends

Recorded values over time (once-a-day snapshots). May 13, 2026 – Jun 11, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

3,390

Favorites

3,387

Forks

109

Score

31.6

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 3390

+17.0
Forks

input: 109

+3.3
Open issues + PRs

input: 2

+0.2
Releases

input: 30

+9.0
Recency

input: 327

+2.1
Issue opportunity

input: 1

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 31.5

Opportunity

15.2

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

27.1
Contribution need

open_issues + open_prs: 2

0.0
Health factor

archived + recency + open issues

×0.86

Total 15.2

License

NOASSERTION

Last release

Jul 19, 2025

Watchers

Downloads

38K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

make-dev/orca

dmstr/symfony-system-resources-bundle

dmstr/symfony-job-queue-bundle

dmstr/openapi-json-schema-bundle

dmstr/keycloak-security-bundle

dmstr/doctrine-audit-log-bundle

dmstr/api-platform-utils-bundle

dmstr/api-configuration-bundle

chrisdev/ux-components

baks-dev/finances

emuniq/filament-browser-notifications

syriable/filament-translator

hungnm28/livewire-form

wenprise/eloquent

crudly/encrypted

fadion/bouncy

cuci/prototurk-sdk

gos/pubsub-router-bundle

cuci/prototurk-sdk-symfony

clementtalleu/easyadmin-markdown-bundle