AES-256-GCM Encrypted

Beyond JWT.
Secure Web Token (SWT)

The ultimate JWT alternative for modern authentication. Device-bound, server-side session tokens with AES-256-GCM encryption. Prevent token theft, account sharing, and unauthorized reuse with hardware-level security fingerprints.

Get StartedView on NPM
$ npm install secure-web-token
AES-256-GCM
Device Bound
Server-Side Sessions

Why SWT Over JWT?

Traditional JSON Web Tokens (JWT) are only Base64 encoded—making them easy to decode and vulnerable to theft.Secure Web Token (SWT) encrypts every payload with AES-256-GCM and strictly binds tokens to verified devices.

AES-256-GCM Encryption

Payloads are fully encrypted, not just Base64 encoded like JWT. Nobody can decode your token without the secret.

Device Fingerprint Binding

Tokens are locked to specific devices or sessions, preventing unauthorized reuse from different machines.

Server-Side Sessions

Device IDs and sessions are managed securely on the backend—never exposed to the browser.

Prevent Token Theft

Even if a token leaks, it cannot be reused from unauthorized devices. Complete protection against replay attacks.

Auto Device Registration

Automatically generate and manage device IDs for seamless security without manual configuration.

Single-Device Enforcement

Built-in support for restricting access to a single device without complex additional server logic.

Perfect For

Course platforms with anti-piracy requirementsSaaS dashboards with sensitive dataAdmin panels with restricted accessAny system requiring device-bound authentication

The Problem with JWT

Traditional JWTs have fundamental limitations that SWT was designed to solve.

JWT Limitations

  • ×JWT payloads are only Base64 encoded, not encrypted. Anyone can decode them.
  • ×If a token leaks, it can be reused from any device.
  • ×No built-in mechanism to restrict tokens to specific devices.
  • ×Cannot safely enforce single-device login without additional server logic.

SWT Solutions

  • Fully encrypts token payloads using AES-256-GCM.
  • Binds tokens to device fingerprints managed on the backend.
  • Prevents token reuse from unauthorized devices.
  • Supports auto-generated device IDs for added security.
  • Manages sessions server-side, so sensitive identifiers never reach the browser.

How SWT Works

1

User Login

sign() generates token + server session

2

Store Session

Server stores deviceId + fingerprint internally

3

Secure Cookie

Browser receives token via HttpOnly cookie

4

Verify Request

verify() checks session + fingerprint

Quick Start

Get up and running with SWT in seconds

1

Install Package

terminal
1npm install secure-web-token
2

Import SWT

app.js
1// ESM
2import { sign, verify, getStore } from "secure-web-token";
3 
4// CommonJS
5const { sign, verify, getStore } = require("secure-web-token");
3

Core Functions

sign.ts
1import { sign } from "secure-web-token";
2 
3const SECRET = "super-secret-key";
4 
5const { token, sessionId } = sign(
6  { userId: 1, role: "admin" },
7  SECRET,
8  {
9    fingerprint: true,
10    store: "memory",
11    expiresIn: 3600,
12  }
13);
4

Payload Structure

payload.json
1{
2  "data": {
3    "userId": 1,
4    "role": "admin"
5  },
6  "iat": 1768368114,
7  "exp": 1768369014,
8  "fp": "device-fingerprint"
9}

Note: The fp (fingerprint) and session ID are stored server-side only.

100% Type SafeESM + CommonJSMIT Licensed

Let's Secure Your App

Have questions about implementing SWT? Our security experts are ready to help you migrate from legacy token systems.

Email Us

securewebtoken@gmail.com

Live Chat

Available 24/7 for Enterprise