npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

webtoken-rs

v1.0.2

Published

Web Token encoded in Rust and available as NAPI addon

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

memelsermemelser

Keywords

napinode-addonnativerustbuntemplatestarter

Readme

webtoken-rs 🦀

License: MIT Rust Bun

A high-performance NAPI (Node-API) native addon for Argon2id password hashing and PASETO (Platform-Agnostic Security Tokens), built with Rust for the Bun runtime.

🚀 Features

  • Blazing Fast: Native Rust implementation using argon2 and pasetors crates.
  • Bun Optimized: Specifically tuned for use with the Bun runtime.
  • Type Safe: Includes full TypeScript definitions automatically generated from Rust.
  • Modern Security: Implements Argon2id (OWASP recommendation) and PASETO V4 (Local & Public).
  • Asymmetric Support: Built-in Ed25519 key generation and signing for cross-service authentication.

📦 Installation

bun install webtoken-rs

🛠 Usage

1. Argon2id Password Hashing

import { hash, compare } from "webtoken-rs";

const hashedPassword = await hash("my-super-secret-password");
const isMatch = await compare("my-super-secret-password", hashedPassword);

2. PASETO Tokens (V4 Local - Symmetric)

import { create, verify } from "webtoken-rs";

const secret = "your-32-character-secret-key-123";
const token = create({ sub: "user-123" }, secret, 3600);
const payload = verify(token, secret);

3. PASETO Tokens (V4 Public - Asymmetric)

import { generateKeys, createPublic, verifyPublic } from "webtoken-rs";

// Generate a valid Ed25519 keypair
const { secretKey, publicKey } = generateKeys();

// Sign with Secret Key
const token = createPublic({ sub: "user-123" }, secretKey, 3600);

// Verify with Public Key
const payload = verifyPublic(token, publicKey);

4. Zero-Knowledge Passwords (OPAQUE PAKE)

import { 
  opaqueGenerateServerSetup, 
  opaqueClientRegisterStart, 
  opaqueServerRegisterStart,
  opaqueClientRegisterFinish,
  opaqueServerRegisterFinish,
  opaqueClientLoginStart,
  opaqueServerLoginStart,
  opaqueClientLoginFinish,
  opaqueServerLoginFinish
} from "webtoken-rs";

// 1. Setup (Server)
const serverSetup = opaqueGenerateServerSetup();

// 2. Registration (Interactive)
const { request, state } = opaqueClientRegisterStart("user-password");
const response = opaqueServerRegisterStart(serverSetup, request, "user@id");
const { upload, exportKey } = opaqueClientRegisterFinish("user-password", response, state, "user@id");
const passwordFile = opaqueServerRegisterFinish(upload); // Store this!

// 3. Login (Interactive)
const { request: loginReq, state: clientState } = opaqueClientLoginStart("user-password");
const { response: loginRes, state: serverState } = opaqueServerLoginStart(serverSetup, passwordFile, loginReq, "user@id");
const { finalization, sessionKey } = opaqueClientLoginFinish("user-password", loginRes, clientState, "user@id");
const serverSessionKey = opaqueServerLoginFinish(finalization, serverState);

// sessionKey === serverSessionKey

📊 Benchmarks

Measured on AMD Ryzen 7 3750H with Bun 1.3.12.

Password Hashing

| Implementation | Algorithm | Average Time | | :--- | :--- | :--- | | Rust (NAPI) | Argon2id (Default) | ~55.47 ms/iter (🚀 Faster) | | Rust (NAPI) | Argon2id (High Mem) | ~50.96 ms/iter | | Bun (Native) | Bcrypt (Cost 10) | ~87.88 ms/iter |

Password Verification

| Implementation | Algorithm | Average Time | | :--- | :--- | :--- | | Rust (NAPI) | Argon2id | ~17.84 ms/iter (🚀 ~4.3x Faster) | | Bun (Native) | Bcrypt | ~77.47 ms/iter |

Token Creation

| Implementation | Algorithm | Average Time | | :--- | :--- | :--- | | Rust (NAPI) | PASETO V4.Local | ~18.58 µs/iter | | Node Crypto | JWT (Manual HMAC) | ~13.63 µs/iter |

[!TIP] Our Rust implementation is significantly faster at JWT creation because it performs JSON serialization, Base64Url encoding, and HMAC signing in a single high-performance native pass.

🛠 Development

Build

bun run build          # Release build
bun run build:debug    # Debug build

Test

bun test

Benchmark

bun run bench

🏗 Project Structure

  • src/lib.rs - Native Rust implementation.
  • index.js - Generated NAPI entry point.
  • index.d.ts - Generated TypeScript definitions.
  • tests/ - Comprehensive test and benchmark suite.

📜 License

MIT License - see LICENSE for details.

👤 Author

nglmercer - GitHub