*Warning, highly experimental* I've recently been needing a lot of temporary tokens for various projects. These are small Sinatra app auth tokens, API auth tokens, and the like. They're small, self-contained projects, and I don't want the overhead of tracking and expiring tokens in a database or redis. I began to wonder if there was a way to create "self-destructing" tokens which would automatically expire based upon nothing but their own value. No need to store them anywhere on a server. Give it to the client, get it back, and see if it still is (or ever was) valid. I couldn't find anything like this, so I came up with "MortalToken":https://github.com/jhollinger/mortal-token. h3. Example Sinatra app bc[ruby].. require 'sinatra' require 'mortal-token' # Set your secret key. Keep it secret; keep it safe! MortalToken.secret = 'asdf092$78roasdjfjfaklmsdadASDFopijf98%2ejA#Df@sdf' post '/login' do if login_ok? # Create a new token, store the resulting hash and salt in the session token = MortalToken.new session[:token] = token.hash session[:salt] = token.salt redirect '/secret' end end get '/secret' do # Attempt to reconstitute the original token, using the salt token = MortalToken.new(session[:salt]) # Test if the token still is (or ever was) valid if token == session[:token] 'Welcome!' else 'Go away!' end end p. It seems to work well. As long as the secret key is kept safe, I don't see any holes (assuming everything is being transmitted securely). But I freely admit I'm no cryptographer or security export. Feedback is welcome.