PASETO

PASETO (Platform-Agnostic Security Tokens) is a modern alternative to JWT for signed, short-lived authentication tokens. The design fixes the historical JWT footguns — `alg=none`, algorithm confusion, and ambiguous token versioning — by binding the algorithm choice to the token version.

Helix uses PASETO v3 cookies on the shared `.nylas.com` domain so the dashboard account, the public Helix app, and the Cloudflare Worker speak the same auth without a separate session store. Tokens are short-lived, signed, and opaque to the client; the worker verifies them on every request.

For developers: the v3 spec is documented at paseto.io. PASETO does not replace OAuth — it is a token format. Helix uses OAuth 2.1 with PKCE for the LLM tool-use flow and PASETO for the cookie-based dashboard session.