#jwt #security #quic #token #auth-token


Empowering secure digital interactions with robust binary token management and dynamic rolling keys

11 stable releases

1.2.2 Mar 8, 2024
1.2.1 Jan 2, 2024
1.1.1 Nov 25, 2023
1.0.5 Oct 17, 2023

#220 in Cryptography

Download history 24/week @ 2024-01-30 62/week @ 2024-02-06 171/week @ 2024-02-13 39/week @ 2024-02-20 13/week @ 2024-02-27 119/week @ 2024-03-05 15/week @ 2024-03-12 40/week @ 2024-04-02

406 downloads per month

MIT OR BSD-3-Clause

986 lines

Bitwark   Build Status Latest Version bitwark: rustc 1.65+

Provides robust security for Rust applications through compact binary tokens and automated cryptographic defenses.

πŸš€ Introduction

Bitwark implements binary JSON Web Tokens as a bandwidth-efficient alternative to standard JWTs, while integrating automated key rotation and salting to dynamically strengthen cryptographic protections.

πŸ” Key Features:

  • Binary Signed Payload: Compact binary encoding of signed payload (similar to JWT)
  • Default Cryptography: Bitwark by default uses EdDSA for signing and verifying with SHA3-384 (EdDSA_SHA3-384).
  • Rotation: Easily rotate keys and salts, ensuring your application adapts to the dynamic security landscape.
  • Salting: Random data injection to increase entropy and slow brute force attacks.
  • Lightweight: Minimal overhead, ensuring optimal performance even in high-throughput scenarios.

πŸ› οΈ Getting Started

Embark on a secure journey with Bitwark by leveraging the following functionality in your Rust applications:

Signed Payload decoded as binary (alternative to JWT)

use bitwark::{
use serde::{Serialize, Deserialize};
use chrono::Duration;

#[derive(Serialize, Deserialize)]
pub struct Claims {
    pub permissions: Vec<String>,

// Generate an EdDSA key pair and salt with a validity period
let exp_key = AutoExpiring::<EdDsaKey>::generate(

let exp_salt = AutoExpiring::<Salt64>::generate(

// Instantiate a token with specified claims.
let claims = Claims { 
    permissions: vec![

let token = ExpiringSigned::<Claims>::new(
    Duration::seconds(120), claims

// Create a binary encoding of the token, signed with key and salt.
let signed_token_bytes = token.encode_and_sign_salted(
    &exp_salt, &*exp_key
).expect("Failed to sign token");

// Decode the token and verify its signature and validity.
let decoded_token = ExpiringSigned::<Claims>::decode_and_verify_salted(
    &signed_token_bytes, &exp_salt, &*exp_key
).expect("Failed to decode a token");

    "Failed to find 2 permissions"

Key Rotation

use bitwark::{payload::SignedPayload, keys::ed::EdDsaKey, keys::CryptoKey, Generator};
use chrono::Duration;

// creating a key
let key = EdDsaKey::generate()?;

// Rotating key
let mut expiring_key = Expiring<EdDsaKey>::new(Duration::seconds(10), key);
if expiring_key.has_expired() {

// Creating a payload
let payload = SignedPayload::<String>::new("A signed message".to_string());

// Encode the payload with signature based on the expiring key
let signed_payload_bytes = payload.encode_and_sign(&expiring_key)?;

// Decode the signed payload with verifying signature with payload's integrity
let decoded_payload = SignedPayload::<String>::decode_and_verify(&signed_payload_bytes, &expiring_key)?;
assert_eq!(*decoded_payload, *payload);

Salt Example

use bitwark::{
    Rotation, Generator
use bitwark::payload::SignedPayload;
use chrono::Duration;

// Make a new salt.
let salt = Salt64::generate().unwrap();

// Make a salt that lasts for 10 seconds.
let mut expiring_salt = AutoExpiring::<Salt64>::new(
    Duration::seconds(10), salt

// Change the salt if it's too old.
if expiring_salt.has_expired() {
        .expect("Salt rotation failed.");

// Make a key that lasts for 120 seconds.
let key = AutoExpiring::<EdDsaKey>::generate(

// Make a payload for signing
let payload = SignedPayload::<String>::new(
    "Hello, world!".to_string()

// Combine message and signature into one piece.
let signature_bytes = payload.encode_and_sign_salted(
    &expiring_salt, &*key
).expect("Failed to encode");

// Separate message and signature, verifying validity.
let decoded_result = 
        &signature_bytes, &expiring_salt, &*key


πŸ’‘ Motivation

In an era where data security is paramount, Bitwark aims to offer developers a toolbox for crafting secure digital interactions without compromising on performance or ease of use. Lightweight binary JWT tokens minimize bandwidth usage, while key rotation and salt functionalities amplify security, ensuring your applications are not just secure, but also efficient and reliable.

🌱 Contribution

Be a Part of Bitwark’s Journey!

Contributors are the backbone of open-source projects, and Bitwark warmly welcomes everyone who’s eager to contribute to the realms of binary security!

πŸŽ— How to Contribute:

  • 🧠 Propose Ideas: Share enhancement ideas or report bugs through Issues.
  • πŸ›  Code Contributions: Submit a Pull Request with new features, enhancements, or bug fixes.
  • πŸ“š Improve Documentation: Help us make our documentation comprehensive and user-friendly.
  • πŸ’¬ Community Interaction: Join discussions and provide feedback to help make Bitwark better.

πŸ“œ License

Bitwark is open-source software, freely available under the MIT License or BSD-3-Clause.


~351K SLoC