Use pasetors crate for PASETO
Context
After choosing PASETO v4.local for session transport (ADR-0019), we needed a Rust crate that could handle the full lifecycle: token creation, validation, key generation, and PASERK key identifiers for rotation (ADR-0023). We evaluated all three maintained PASETO crates in the Rust ecosystem.
Decision
Use pasetors for PASETO token implementation.
Alternatives Evaluated
rusty-paseto: Integrated and tested first. Handles basic token creation and validation but has no PASERK support — key identifiers had to be implemented separately. Development has slowed; open issues around v4 edge cases weren't being addressed.
pasta-tokens: Evaluated second. The v4 implementation was incomplete at the time — missing footer handling, which we need for embedding PASERK key identifiers in tokens (ADR-0023). Couldn't use it without forking.
pasetors: The only crate with built-in PASERK support, full v4.local implementation including footers, and strong typing across keys, tokens, and claims. Actively maintained with regular updates.
Consequences
Pasetors covers everything we need in one crate — token operations, PASERK identifiers, and key management primitives. The key rotation system (ADR-0026) builds directly on its PASERK implementation. The trade-off is coupling to a single crate for the entire auth token layer, but the alternatives couldn't support the full feature set without significant custom code.