fernet: Generate and verify HMAC-based authentication tokens.

[ authentication, lgpl, library, web ] [ Propose Tags ]

Originally designed for use within OpenStack clusters, Fernet is intended to be fast and light-weight, with non-persistent tokens. Fernet tokens are signed with a SHA256 HMAC and their contents encrypted with AES128 in CBC mode.

[Skip to Readme]




Automatic Flags

Build the example application


Use -f <flag> to enable a flag, or -f -<flag> to disable that flag. More info


Maintainer's Corner

Package maintainers

For package maintainers and hackage trustees


Versions [RSS]
Change log ChangeLog.md
Dependencies base (>=4.9 && <4.10), binary (>= && <0.10), byteable (>=0.1.1 && <0.2), bytestring (>=0.10.8 && <0.11), cryptonite (>=0.21 && <0.23), fernet, memory (>=0.14.1 && <0.15), optparse-applicative (>=0.12 && <0.15), time (>=1.6.0 && <1.7), unix (>= && <2.8) [details]
License LGPL-3.0-only
Copyright 2017 Rodney Lorrimar
Author Rodney Lorrimar
Maintainer dev@rodney.id.au
Category Web, Authentication
Home page https://github.com/rvl/fernet-hs
Bug tracker https://github.com/rvl/fernet/issues
Source repo head: git clone https://github.com/rvl/fernet-hs
Uploaded by rvl at 2017-03-22T23:39:55Z
Executables fernet
Downloads 1060 total (5 in the last 30 days)
Rating (no votes yet) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Docs available [build log]
Last success reported on 2017-03-22 [all 1 reports]

Readme for fernet-

[back to package description]

Fernet Haskell Implementation

Build Status Hackage

Fernet generates and verifies HMAC-based authentication tokens.

Originally designed for use within OpenStack clusters, it was intended to be fast and light-weight, with non-persistent tokens. Integrity and confidentiality of the token contents are implemented with HMAC SHA256 and AES128 CBC.

See the Fernet Spec for a little more information.


To encrypt a token:

>>> import Network.Fernet
>>> k <- generateKey
>>> keyToBase64 k
>>> token <- encrypt k "secret text"
>>> print token

The resulting token can be distributed to clients. To check and decrypt the token, use the same key:

>>> decrypt k 60 token
Right "secret text"

Do read the Network.Fernet module documentation for further information.

Command-line tool

This package also includes a command-line tool for encrypting and decrypting tokens.

Fernet Utility

Usage: fernet (((-k|--key STRING) | --key-file FILENAME) ([-e|--encrypt] |
              [-d|--decrypt]) [--ttl SECONDS] | (-g|--gen-key))
  Encrypts/decrypts Fernet tokens. One token written to stdout for each line
  read from stdin. Use --gen-key to make a key.

Available options:
  -h,--help                Show this help text
  -k,--key STRING          Base64-urlsafe-encoded 32 byte encryption key
  --key-file FILENAME      File containing the encryption key
  -e,--encrypt             Encryption mode (default: autodetect)
  -d,--decrypt             Decryption mode (default: autodetect)
  --ttl SECONDS            Token lifetime in seconds (default: 1 minute)
  -g,--gen-key             Generate a key from the password on standard input


Building with Stack

stack build

Building with Nix

nix-shell -p cabal2nix --command "cabal2nix --shell . > default.nix"
nix-shell --command "cabal configure"
cabal build

Better & Cooler Stuff

You might also be interested in hsoz.