Which Algorithm does Github uses to generate their Personal Access Tokens
In my Nodejs application, I have a functionality where users can generate Access Token and use that to make API Calls from the server. I am using JWT for this purpose which is working fine and serves its purpose.
But we want our Access Token to be shorter like the Github Personal Access Token for multiple reasons. Can any one of you help me identify the Algorithem they are using to generate this kind of short tokens?
I am attaching screenshots of both Tokens (Ours & Github)
Our Implementation of Personal Access Token
Guthub's Personal Access Token
I did some R&D and found this question but this does not provide any useful information for my case.
The algorithm is outlined on the blog post about the new tokens. There's a prefix (e.g., ghp_), a random component, and a checksum at the end. The random component is generated using a CSPRNG; it doesn't contain any ID or other encoded data.
The approach GitHub uses here is different than a JWT. In a JWT, there is some encoded data (some claims) that are prevented from tampering with a MAC or digital signature. In most cases, as long as the MAC or digital signature is valid, the token will be accepted until its expiration. With GitHub's tokens, the random component is the identifier of the token and all of the access it grants (including whether it is still valid) are verified by looking that up on the server side; the token doesn't contain that information.