NIST FIPS 204 & 205 · Published August 2024

JWT authentication
for the post-quantum era

RS256 and ES256 are broken by Shor's algorithm on a quantum computer. @pq-jwt/core replaces them with NIST-standardized ML-DSA and SLH-DSA — plus Express middleware, hybrid migration, and full JOSE.

$ npm install @pq-jwt/core
★ Star on GitHub View on npm →
4 npm packages
v1.0.6 Latest version
61/61 Tests passing
2^96 Quantum security ops
MIT License
// the problem

Your JWTs will be
forged by quantum computers

RS256 relies on integer factorization. ES256 relies on elliptic curve discrete log. Shor's algorithm (1994) solves both in polynomial time on a quantum computer.

Broken by quantum
RS256 / RSA
Security basis: integer factorization (N = p × q). Shor's algorithm factors N in O(log³N) quantum operations. Private key recovery: polynomial time.
Shor's algorithm: APPLICABLE
Broken by quantum
ES256 / ECDSA
Security basis: elliptic curve discrete logarithm. Shor's algorithm solves ECDLP in polynomial time. All EC curves (P-256, secp256k1) are affected.
Shor's algorithm: APPLICABLE
Quantum resistant
ML-DSA (FIPS 204)
Security basis: Module-LWE lattice hardness. Shor's algorithm: zero speedup (not a group-period problem). Grover gives only sqrt speedup → 96-bit quantum security.
Shor's algorithm: NOT APPLICABLE
Quantum resistant
SLH-DSA (FIPS 205)
Security basis: hash function hardness only. No lattice assumptions — purely conservative choice. 7 years of NIST cryptanalysis. No known attack.
Shor's algorithm: NOT APPLICABLE
// same api you already know

Drop-in replacement.
Zero relearning.

If you've used jsonwebtoken before, you already know how to use pq-jwt. Same sign / verify / decode pattern. Typed errors. Full TypeScript.

auth.mjs
import { generateKeyPair, sign, verify } from '@pq-jwt/core';

// Generate once — store in your secrets manager
const { publicKey, secretKey } = generateKeyPair('ML-DSA-65');

// Sign a token — identical to jsonwebtoken API
const token = sign(
  { sub: 'user_42', role: 'admin', org: 'acme' },
  secretKey,
  {
    algorithm:  'ML-DSA-65',   // NIST FIPS 204
    expiresIn:  '1h',
    notBefore:  '0s',          // v1.0.6
    issuer:     'auth.myapp.com',
    audience:   'api.myapp.com',
  }
);

// Verify — throws TypedError on failure
const { payload } = verify(token, publicKey, {
  issuer:          'auth.myapp.com',
  audience:        'api.myapp.com',
  clockTolerance:  10,   // distributed system clock skew
});

console.log(payload.sub);   // 'user_42'
console.log(payload.role);  // 'admin'
middleware.ts
import {
  verify, importKey,
  TokenExpiredError, SignatureError, InvalidTokenError,
} from '@pq-jwt/core';

const PK = importKey(process.env.PQ_PUBLIC_KEY!);

export function pqAuth(req, res, next) {
  const token = req.headers.authorization?.slice(7);
  if (!token) return res.status(401).json({ error: 'Missing token' });

  try {
    const { payload } = verify(token, PK, {
      issuer: 'auth.myapp.com',
      clockTolerance: 10,
    });
    req.user = payload;
    next();
  } catch (e) {
    if (e instanceof TokenExpiredError) return res.status(401).json({ error: 'Expired' });
    if (e instanceof SignatureError)    return res.status(403).json({ error: 'Invalid' });
    res.status(400).json({ error: e.message });
  }
}
// npm ecosystem

Core, backend, migration,
and full JOSE.

Four packages under the PQ-JWT ecosystem — from low-level JWT signing to Express APIs, hybrid classical→PQ migration for frontends, and a complete post-quantum JOSE stack.

Core · JWT
@pq-jwt/core
Post-quantum JWT sign, verify, and decode. Drop-in successor to RS256/ES256. ML-DSA and SLH-DSA. Same API as jsonwebtoken. Full TypeScript.
npm install @pq-jwt/core
Backend · Express
@pq-jwt/express
Express.js middleware for @pq-jwt/core. Drop-in pqAuth() with typed errors, role guards, and custom token extractors — wire PQ auth into Node APIs in minutes.
npm install @pq-jwt/express
Migration · Hybrid · Frontend
@pq-jwt/hybrid
Hybrid JWT — ECDSA P-256 + ML-DSA dual signing. Migration bridge from classical to post-quantum. Use in SPAs and client apps that must verify both legacy ECDSA and PQ tokens during rollout.
npm install @pq-jwt/hybrid
JOSE · JWT · JWE · JWK
@pq-jose/jose
A complete post-quantum JOSE library for JavaScript/Node.js — JWT, JWS, JWE, JWK, and JWKS. Built on @pq-jwt/core; jose-compatible API. NIST FIPS 203 (ML-KEM), 204 (ML-DSA), and 205 (SLH-DSA) via audited @noble/post-quantum.
npm install @pq-jose/jose
// nist standardized · august 2024

Four algorithms.
All NIST approved.

After a 7-year open competition, NIST selected and standardized these algorithms in August 2024. The NSA mandates them for all national security systems by 2030.

ML-DSA-44
NIST FIPS 204 · Lattice-based (Module-LWE)
Security level 2. Best for IoT and constrained environments where key size matters most.
128-bit Q
Quantum security
2.5ms
Key generation
1,312 B
Public key
8.1ms
Sign time
ML-DSA-65 RECOMMENDED
NIST FIPS 204 · Lattice-based (Module-LWE)
Security level 3. Best balance of performance and security. Default algorithm in @pq-jwt/core.
192-bit Q
Quantum security
3.9ms
Key generation
1,952 B
Public key
10.7ms
Sign time
ML-DSA-87
NIST FIPS 204 · Lattice-based (Module-LWE)
Security level 5. For government, banking, and high-security systems. Meets NSA CNSA 2.0.
256-bit Q
Quantum security
4.8ms
Key generation
2,592 B
Public key
11.1ms
Sign time
SLH-DSA-SHA2-128s
NIST FIPS 205 · Hash-based (SPHINCS+)
Conservative choice. No lattice assumptions — relies only on hash security. For long-term archival tokens.
128-bit Q
Quantum security
623ms
Key generation
32 B
Public key
5,373ms
Sign time
// real benchmarks · node.js v22 · single thread

Honest performance numbers.

Post-quantum tokens are larger. Signing is slower. These are real trade-offs — documented clearly so you can make the right architectural decisions.

Algorithm Sign Verify Token Size Quantum Safe
ECDSA-P256 (ES256) < 1ms < 1ms ~0.5 KB ✗ Broken
RSA-2048 (RS256) < 2ms < 1ms ~0.5 KB ✗ Broken
ML-DSA-44 8.1ms 2.1ms ~3.5 KB ✓ FIPS 204
ML-DSA-65 default 10.7ms 2.9ms ~4.5 KB ✓ FIPS 204
ML-DSA-87 11.1ms 4.8ms ~6.2 KB ✓ FIPS 204
SLH-DSA-SHA2-128s 5,373ms 5.8ms ~10.8 KB ✓ FIPS 205
// use cases

Who needs this now?

🏦
Financial systems
Banking APIs, payment processors, and fintech under regulatory pressure to begin PQ migration planning. Use ML-DSA-87 for NSA CNSA 2.0 compliance.
🔗
Web3 / Blockchain
Wallet authentication, validator signatures, and DApp auth that must survive the quantum transition. secp256k1 is vulnerable — ML-DSA is not.
🏛️
Government & Defence
NSA CNSA 2.0 mandates ML-DSA for all national security systems by 2030. Start evaluating infrastructure now, not in 2029.
🔬
Research & Healthcare
Long-lived data access tokens for medical records and research data. Harvest-now attacks target data meant to remain confidential for decades.
☁️
Cloud & SaaS
Any multi-service architecture using JWTs for service-to-service auth. Begin with internal APIs before migrating customer-facing auth.
🛡️
Security-conscious devs
Forward-thinking engineers who understand that the right time to adopt post-quantum tooling is before compliance deadlines, not during them.
// why 2025 is the right time

The migration window
is open now.

The threat is not immediate. The migration pressure is. Start evaluating tooling now so you're not rushing in 2027.

2024
NIST publishes FIPS 203, 204, 205
Official post-quantum standards. ML-DSA, SLH-DSA, ML-KEM are federal law.
2025 — now
Early adopters build tooling
@pq-jwt/core, @pq-jwt/express, @pq-jwt/hybrid, and @pq-jose/jose ship — full PQ auth stack for JavaScript, TypeScript, and Node.js.
2026
Enterprise evaluation begins
Security teams begin auditing auth infrastructure for PQ readiness.
2027
Financial sector mandates start
Banking regulators in EU and US issue PQ migration guidance with timelines.
2030
NSA CNSA 2.0 deadline
All US national security systems must use ML-DSA. Non-compliance is a liability.
2035+
CRQCs become viable
Cryptographically relevant quantum computers. Data harvested today is at risk.
// get started today

Your authentication,
quantum-proof.

MIT license. JavaScript, TypeScript & Node.js. Express ready. Built on audited cryptography. Maintained by Sachin Ruhil.

npm install @pq-jwt/core View source on GitHub →