QAuth: Authentication
Rebuilt for the Quantum Era
The Problem
OAuth 2.0 and JWT have fundamental, unfixable security flaws that have caused countless breaches.
JWT Vulnerabilities
- xAlgorithm confusion - Attacker chooses verification method
- x"None" algorithm - Complete signature bypass
- xKey ID injection - SQL injection, path traversal via kid
- xExposed payload - Base64 claims visible to everyone
- xNo revocation - Tokens valid until expiry
OAuth 2.0 Vulnerabilities
- xRedirect URI manipulation - Token interception
- xAuthorization code interception - Full account takeover
- xBearer token model - Stolen token = full access
- xPKCE downgrade - Protection can be bypassed
- xScope explosion - Unmaintainable permission strings
Security Comparison
QAuth mitigates every known attack vector in OAuth 2.0 and JWT.
Algorithm Confusion
JWT
VulnerableOAuth
N/AQAuth
ImpossibleNo algorithm field in QAuth
"None" Algorithm
JWT
VulnerableOAuth
N/AQAuth
ImpossibleAlgorithm not configurable
Bearer Token Theft
JWT
VulnerableOAuth
VulnerableQAuth
ProtectedProof of possession required
Redirect URI Attack
JWT
N/AOAuth
VulnerableQAuth
ProtectedCryptographic binding
Token Replay
JWT
VulnerableOAuth
VulnerableQAuth
ProtectedRequest-specific proofs
Payload Inspection
JWT
ExposedOAuth
N/AQAuth
EncryptedXChaCha20-Poly1305 encryption
Post-Quantum Attack
JWT
Future RiskOAuth
Future RiskQAuth
ProtectedML-DSA-65 signatures
Revocation Delay
JWT
Hours/DaysOAuth
HoursQAuth
5 MinutesBuilt-in revocation system
| Attack Vector | JWT | OAuth 2.0 | QAuth | How QAuth Protects |
|---|---|---|---|---|
| Algorithm Confusion | Vulnerable | N/A | Impossible | No algorithm field in QAuth |
| "None" Algorithm | Vulnerable | N/A | Impossible | Algorithm not configurable |
| Bearer Token Theft | Vulnerable | Vulnerable | Protected | Proof of possession required |
| Redirect URI Attack | N/A | Vulnerable | Protected | Cryptographic binding |
| Token Replay | Vulnerable | Vulnerable | Protected | Request-specific proofs |
| Payload Inspection | Exposed | N/A | Encrypted | XChaCha20-Poly1305 encryption |
| Post-Quantum Attack | Future Risk | Future Risk | Protected | ML-DSA-65 signatures |
| Revocation Delay | Hours/Days | Hours | 5 Minutes | Built-in revocation system |
Defense-in-Depth Features
Every QAuth feature is designed to eliminate an entire class of attacks.
Dual Signatures
Ed25519 + ML-DSA-65
Classical Ed25519 combined with post-quantum ML-DSA-65. Both must verify. If quantum computers break Ed25519, ML-DSA-65 remains secure.
Encrypted Payloads
XChaCha20-Poly1305
Unlike JWT's base64-encoded claims visible to everyone, QAuth encrypts all payload data. Your claims are private, not just signed.
Proof of Possession
Mandatory, Not Optional
Every request must prove key ownership. Stolen tokens are useless without the private key. No more bearer token theft attacks.
Built-in Revocation
5-Minute Window
Instant token invalidation with 5-minute worst-case propagation. No more waiting for JWT expiry after a breach.
Policy References
No Scope Explosion
Replace OAuth's scope strings with policy document references. Fine-grained RBAC/ABAC/ReBAC without bloated tokens.
Server-Enforced Crypto
No Algorithm Confusion
Server enforces all cryptographic parameters. No client-controlled algorithm selection. Eliminates entire attack classes.
Multi-Language SDKs
Use QAuth in your preferred language. Same API, same security guarantees.
use qauth::{Issuer, Token, Validator, Policy, PolicyEngine};
// Generate issuer with dual keys (Ed25519 + ML-DSA-65)
let issuer = Issuer::generate()?;
// Create a QToken with encrypted payload
let token = Token::builder()
.subject("user-12345")
.audience("https://api.example.com")
.policy_ref("urn:qauth:policy:standard")
.expires_in(Duration::from_secs(3600))
.build(&issuer)?;
// Validate with dual signature verification
let validator = Validator::new(issuer.verifying_keys());
let claims = validator.validate(&token)?;
// Policy-based authorization
let engine = PolicyEngine::new();
let result = engine.evaluate(&policy, &context);Rust (crates.io)
cargo add quantum-qauthTypeScript (npm)
npm i @quantumshield/qauthPython (PyPI)
pip install qauthGo (module)
go get github.com/Tushar010402/qauth-goWhy QAuth?
Built from the ground up for the post-quantum era.
Key Features
- Complete specification with RFC-style documentation
- Working reference implementation in Rust with 36+ tests
- Real post-quantum cryptography using ML-DSA-65 (Dilithium3)
- Multi-language SDKs with consistent APIs
- Open source under MIT license
Developer Resources
Everything you need to integrate QAuth into your application.
Part of QuantumShield
QAuth is built on top of QuantumShield's post-quantum cryptography primitives. Hybrid KEM, dual signatures, and cascading encryption—all working together.