ToonWebToken — modern auth tokens, post-quantum ready
ToonWebToken
Post-quantum real · IETF-aligned · 16 SDKs

ToonWebToken: Modern Authentication Tokens

Post-Quantum Real & IETF-Aligned

A compact, multi-language authentication token format whose claims are encoded in TOON. HMAC-SHA256 (FIPS 198-1) v1 today, ML-DSA-65 (FIPS 204) real on 14 SDKs for v2. Built defensively: anti-replay, anti-SSRF, rate limiting, revocation, HMAC-chained audit trail.

Try the Debugger Browse Libraries

Why ToonWebToken

Six pillars that distinguish TWT from JWT and similar formats.

📦

TOON format

A compact, human-readable encoding that drops up to ~40% of the bytes a JSON token would consume — and roughly 30% fewer LLM tokens at inference time.

🔐

Post-quantum real

V1 ships with HMAC-SHA256 (FIPS 198-1). V2 uses real ML-DSA-65 (FIPS 204) — keygen, sign, verify live on 14 SDKs via liboqs, circl, BouncyCastle and noble-post-quantum.

🆔

UUID v7 identifiers

Time-sortable, RFC 9562 compliant. Better database locality than UUID v4 and a clean traceability story for audit logs.

🤖

LLM-optimized

~30% fewer tokens than JSON when feeding tokens through an LLM gateway. Lower cost, higher throughput, smaller prompts.

🛡️

Defence in depth

Bounded TOON parser, anti-replay cache, anti-SSRF URL validator, rate limiter, honeypot detector, revocation service, HMAC-chained audit trail. 81/81 AppSec remediation items closed.

📜

IETF Internet-Draft v2

Draft-02 describes HS256 (mandatory) and MLDSA65 (optional). 14 implementations validate byte-for-byte reproducible test vectors. Dual MIT/Apache-2.0 license.

TWT vs JWT, side by side

A compact view of what changes when you adopt TWT.

Aspect JWT ToonWebToken
Wire format JSON (verbose) TOON (~40% smaller)
Post-quantum No standard story ML-DSA-65 real on 14 SDKs (FIPS 204)
SDK coverage 3–5 languages typical 16 languages (6 prod + 8 additional + 2 frontend)
Identifiers UUID v4 (random) UUID v7 (time-sortable)
LLM optimization Not optimized ~30% fewer LLM tokens
Anti-replay Optional / ad hoc Native cache
Revocation Not native Built-in service
Audit trail External HMAC-chained, in-SDK
Standardization RFC 7519 IETF Draft-02 (HS256 + MLDSA65)

Token structure

A ToonWebToken consists of three Base64URL-encoded segments separated by dots:

HEADER
typ, alg, ver, kid, iat, exp, jti
.
PAYLOAD
subject, claims, security, custom
.
SIGNATURE
HMAC-SHA256 (v1) — ML-DSA-65 (v2, real)

Built on standards

NIST PQC
Post-quantum cryptography
OWASP Top 10
90+/100 coverage
RFC 9562
UUID v7
ISO/IEC 27000
Information Security

Get started

Pick the SDK that matches your stack, decode a sample token, or read the roadmap.

Open the Debugger View the SDKs