TECTO (Transport Encrypted Compact Token Object) is a lightweight token protocol that fully encrypts token contents using XChaCha20-Poly1305, unlike JWTs which are only base64-encoded and readable by anyone.

Key features: - Fully encrypted payloads (mathematically unreadable without the 32-byte secret) - Authenticated encryption with Poly1305 integrity tags - Per-token cryptographic nonces generated from CSPRNG - Generic error messages to prevent oracle attacks - Key rotation support with multiple keystore backends (Memory, SQLite, PostgreSQL, MariaDB) - Replay protection via jti claims - Zero-copy plaintext cleanup

GitHub: github.com/Zastinian/tecto