Package tokenmanager provides a secure, flexible, and type-safe token management system for Go applications. It supports creating, validating, revoking, and updating tokens with customizable additional data using Go generics. The tokenmanager package implements a token-based authentication system with the following key features: Tokens are generated as signed strings in the format: Where: This format provides 512 bits of entropy in the payload, making tokens practically impossible to guess or brute-force. The package follows a clean separation of concerns: Creating a token manager with custom additional data: Validating a token and retrieving its data: Validation checks performed: Revoking a token (e.g., on logout): After revocation, the token will fail validation even if it hasn't expired. Updating the additional data of an existing token: This is useful for updating user permissions without requiring re-authentication. The package provides two predefined token types: Token type validation prevents type confusion attacks where an attacker might try to use a refresh token as an access token or vice versa. Example of implementing a refresh token flow: Implement the ITokenStore interface to use a custom storage backend: The package implements several security best practices: Cryptographic Security: Token Validation: Recommendations: All operations in Manager are thread-safe. The built-in MemoryTokenStore uses sync.RWMutex for safe concurrent access. Custom storage implementations should also ensure thread safety. The MemoryTokenStore includes an automatic cleanup goroutine that runs every minute to remove expired tokens. This prevents memory leaks from accumulated expired tokens. For production environments with high token volumes, consider using a dedicated storage backend like Redis, which handles expiration natively and provides persistence. The package defines the following sentinel errors: The [ValidateToken] method does not return errors; instead, it returns a boolean indicating validity. This fail-secure design ensures that any unexpected condition results in token rejection. Token data is stored as JSON with the following structure: Storage keys use the prefix "tokenmanager:" followed by the token payload: The package is designed for high performance: For benchmarks, run: