Branca 0.3.0

Install-Package Branca -Version 0.3.0
dotnet add package Branca --version 0.3.0
<PackageReference Include="Branca" Version="0.3.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add Branca --version 0.3.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: Branca, 0.3.0"
#r directive can be used in F# Interactive, C# scripting and .NET Interactive. Copy this into the interactive tool or source code of the script to reference the package.
// Install Branca as a Cake Addin
#addin nuget:?package=Branca&version=0.3.0

// Install Branca as a Cake Tool
#tool nuget:?package=Branca&version=0.3.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.


A .NET 5 library for generating and validating Branca tokens.

Status Nuget Downloads License


Branca tokens are authenticated and encrypted API tokens using modern crypto.


Branca is a secure, easy to use token format which makes it hard to shoot yourself in the foot. It uses IETF XChaCha20-Poly1305 AEAD symmetric encryption to create encrypted and tamperproof tokens. The encrypted token is base62 encoded which makes it URL safe. The payload itself is an arbitrary sequence of bytes. You could use a JSON object, plain text string or even binary data serialized by MessagePack or Protocol Buffers.

Although not a goal, it is possible to use Branca as an Alternative to JWT.

You can read the Branca Token Specification for design-specific details.


using Branca;
Issuing Secret Key

The secret key is to be 32 bytes in size. You can generate a random one using the following:

byte[] key = new byte[32];

Alternatively, you can setup a hexadecimal string consisting of exactly 64 characters:

HexKey key = "73757065727365637265746b6579796f7573686f756c646e6f74636f6d6d6974";
Configuring Branca

Once you have a secret key, be it a byte[] type or a HexKey type, you can configure Branca as follows:

BrancaService branca = new(key);

Branca can optionally take in BrancaSettings, which has a few parameters for configuration. They come with sensible defaults so you may not need to change it at all.

BrancaService branca = new(key, new BrancaSettings
  MaxStackLimit = 1024,
  TokenLifetimeInSeconds = 3600

For the sake of performance, Branca allocates various resources during encoding and decoding on the stack. To prevent abuse of the stack, a stack limit is enforced. If the limit is reached due to a large payload, it defaults to allocating it on the heap for the particular encoding/decoding. This limit is by default set to 1024 bytes.

Branca also considers all tokens it generates to be valid for an hour from the time of their generation. You can configure this value based on your use-case. Alternatively, set it up as null to make Branca tokens valid forever.

There exists a Timer configuration for BrancaSettings too. It comes with an internal implementation that uses current time accordingly. You can pass on your own implementation of this interface if you want to control the way time flows for Branca. This will not be needed in all general cases.

Encoding/Encrypting Payload

Now that Branca is configured, you can encode your payload. Branca can accept string or ReadOnlySpan<byte> as payload. So, you can send a byte[] as payload if you are using some binary serialiser to save space.

If your payload is "Hello, World", you can generate a Branca token as follows:

string token = branca.Encode("Hello, World!");

The above will generate a token like:


Likewise, you can make use of MessagePack or Protocol Buffer or even System.Text.Json to serialize your payload and pass in binary data to branca for generating a specific token.

Decoding/Decrypting Payload

Decoding a Branca token for validation is just as simple:

if (branca.TryDecode(token, out byte[] payload))
  // Hello, World!
  string message = Encoding.UTF8.GetString(payload);

You get to decide how to interpret the payload which comes out as an array of bytes. If you used MessagePack, deserialize the payload using it to the object it is supposed to be.

Decoding validates the token and even confirms the expiry (if you have setup some lifetime for the token, default being one hour). In case of failure, the TryDecode returns false and you can reject the token accordingly.

For whatever reason, if you also want to get the time the Branca token was created, you can do the following:

if (branca.TryDecode(token, out byte[] payload, out uint createTime))
  // successful decoding
  // unauthorized attempt


Branca is a .NET 5 library for generating and validating Branca tokens.
Copyright © 2021 Aman Agnihotri (

Branca is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

Branca is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with Branca. If not, see GNU Licenses.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
0.3.0 91 8/23/2021
0.2.0 97 8/21/2021