feat(jwt): add key derivation options and restructure docs 🔑

- Add basic/pbkdf2 key derivation methods
- Add comprehensive tests and validation
- Add performance reference to BENCHMARK.md
- Implement PBKDF2 key derivation with 50K iterations
- Improve test coverage to 98.32%
- Restructure README with TOC and external references
- Split architecture to ARCHITECTURE.md
- Update changelog for v1.4.0

Author: NeaByteLab

ARCHITECTURE.md

@@ -0,0 +1,117 @@
+## 🏗️ Architecture
+
+### 🔄 Complete Data Flow
+
+> This diagram shows the complete JWT workflow from data input to output. The **Sign** process creates encrypted tokens and stores them in cache, while **Verify** operations check cache first for 1,600x performance boost. **Decode** extracts raw data without verification, and **Cache Management** ensures memory efficiency with LRU eviction and TTL expiration.
+
+```mermaid
+graph TD
+    A[User Data] --> B[Sign Request]
+    B --> C[Create Payload]
+    C --> D[Multi Algorithm Encryption]
+    D --> E[Generate Token]
+    E --> F[Store in Cache]
+    F --> G[Return Token]
+    
+    H[Token Verification] --> I{Cache Hit?}
+    I -->|Yes| J[Return Cached Data]
+    I -->|No| K[Decrypt Token]
+    K --> L[Validate Integrity]
+    L --> M[Store in Cache]
+    M --> N[Return Decoded Data]
+    
+    O[Token Decode] --> P[Extract Payload]
+    P --> Q[Return Raw Data]
+    
+    R[Cache Management] --> S[LRU Eviction]
+    S --> T[TTL Expiration]
+    T --> U[Memory Limit 10K]
+    
+    style A fill:#e1f5fe,color:#000
+    style G fill:#c8e6c9,color:#000
+    style J fill:#c8e6c9,color:#000
+    style N fill:#c8e6c9,color:#000
+    style Q fill:#c8e6c9,color:#000
+    style I fill:#fff9c4,color:#000
+    style F fill:#e8f5e8,color:#000
+    style M fill:#e8f5e8,color:#000
+    style R fill:#f3e5f5,color:#000
+```
+
+---
+
+### 🔐 JWT Encoding Process
+
+> This diagram details the token creation process with **multi-algorithm encryption**. Each token gets a **random IV** for uniqueness, **version-based AAD** for compatibility, and **authentication tags** for tamper detection. The **caching system** stores encrypted tokens for instant retrieval, providing massive performance improvements for repeated verifications.
+
+```mermaid
+graph TD
+    A[User Data] --> B[Create Payload]
+    B --> C[Add Timestamps & Version]
+    C --> D[JSON Stringify Payload]
+    D --> E[Generate Random IV]
+    E --> F[Multi Algorithm Encryption]
+    F --> G[Create Token Structure]
+    G --> H[Base64 Encode]
+    H --> I[Secure JWT Token]
+    I --> J[Store in Cache]
+    J --> K[LRU Eviction Check]
+    K --> L[TTL Expiration]
+
+    M[Secret Key] --> N[Key Preparation]
+    N --> F
+    O[Random Salt] --> N
+
+    P[Version] --> Q[Additional
+    Authenticated Data]
+    Q --> F
+
+    F --> R[Authentication Tag]
+    R --> G
+
+    S[Cache Hit?] --> T[Return Cached Data]
+    S --> U[Decrypt & Cache]
+    U --> V[Return Decrypted Data]
+
+    style A fill:#e1f5fe,color:#000
+    style I fill:#c8e6c9,color:#000
+    style F fill:#fff3e0,color:#000
+    style M fill:#fce4ec,color:#000
+    style J fill:#e8f5e8,color:#000
+    style S fill:#fff9c4,color:#000
+```
+
+---
+
+### 🛡️ Security Layers
+
+> This diagram illustrates the security-focused verification process. **Cache validation** provides the first security layer, preventing DoS attacks through performance optimization. **Decryption** uses the secret key and random IV, while **integrity checks** verify authentication tags. The **caching system** acts as both a performance and security feature, ensuring fast and secure token validation.
+
+```mermaid
+graph LR
+    A[Input Token] --> B[Cache Validation]
+    B --> C[Validation Layer]
+    C --> D[Decryption Layer]
+    D --> E[Integrity Check]
+    E --> F[Decoded Data]
+    
+    B --> G[Cache Hit]
+    G --> F
+    
+    H[Cache Miss] --> C
+    C --> I[Store in Cache]
+    I --> F
+
+    J[Secret Key] --> D
+    K[Random IV] --> D
+    L[Version AAD] --> D
+    M[Auth Tag] --> E
+
+    style B fill:#e8f5e8,color:#000
+    style C fill:#ffebee,color:#000
+    style D fill:#fff3e0,color:#000
+    style E fill:#f3e5f5,color:#000
+    style F fill:#e1f5fe,color:#000
+    style G fill:#c8e6c9,color:#000
+    style I fill:#fff9c4,color:#000
+```

CHANGELOG.md

@@ -7,6 +7,33 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [1.4.0] - 2025-09-06
+
+### Added
+- **Key derivation options**: Choose between `basic` (fast) and `pbkdf2` (secure) key generation methods
+- **PBKDF2 key derivation**: 50K iterations with SHA-256 for enterprise-grade security
+- **Basic key derivation**: Fast salt + secret concatenation for high-performance applications
+- **Key derivation validation**: Validation for key derivation method selection
+- **Key derivation documentation**: Updated README with Key Derivation Options table
+- **Architecture documentation**: Separate ARCHITECTURE.md with detailed diagrams
+- **External references**: Links to ARCHITECTURE.md and BENCHMARK.md
+
+### Enhanced
+- **Security flexibility**: Configurable key derivation methods based on use case requirements
+- **Performance options**: Basic key derivation for speed, PBKDF2 for maximum security
+- **API consistency**: New `keyDerivation` option follows existing constructor pattern
+- **Documentation**: Enhanced README with clear key derivation guidance and examples
+- **Test coverage**: Improved from 98.28% to 98.32% with key derivation tests
+- **Documentation structure**: Cleaner README with better navigation and external references
+
+### Technical
+- **Algorithm abstraction**: Extended `Algorithms` class with key derivation methods
+- **Type safety**: Added `KeyDerivationAlgo` type for compile-time validation
+- **Error handling**: Error messages for invalid key derivation methods
+- **Backward compatibility**: Default `basic` key derivation maintains existing behavior
+
+---
+
 ## [1.3.0] - 2025-09-06
 
 ### Added

README.md

@@ -3,7 +3,7 @@
 ![npm version](https://img.shields.io/npm/v/@neabyte/secure-jwt)
 ![node version](https://img.shields.io/node/v/@neabyte/secure-jwt)
 ![typescript version](https://img.shields.io/badge/typeScript-5.9.2-blue.svg)
-![coverage](https://img.shields.io/badge/coverage-98.28%25-brightgreen)
+![coverage](https://img.shields.io/badge/coverage-98.32%25-brightgreen)
 ![license](https://img.shields.io/npm/l/@neabyte/secure-jwt.svg)
 
 A secure JWT implementation with **AES-256-GCM** & **ChaCha20-Poly1305** algorithms for Node.js applications.
@@ -12,6 +12,7 @@ A secure JWT implementation with **AES-256-GCM** & **ChaCha20-Poly1305** algorit
 
 - 🔒 **Multi algorithms** - AES-256-GCM & ChaCha20-Poly1305
 - ⚙️ **Algorithm selection** - Choose the best encryption for your use case
+- 🔑 **Key derivation options** - Basic (fast) or PBKDF2 (secure) key generation
 - 🛡️ **Tamper detection** - Authentication tags prevent modification
 - ⏰ **Automatic expiration** - Built-in token lifecycle management
 - 🔄 **Version compatibility** - Prevents downgrade attacks
@@ -110,7 +111,8 @@ const arrayToken: string = jwt.sign([1, 2, 3])
 
 ```javascript
 const jwt = new SecureJWT({
-  algorithm: 'aes-256-gcm',      // Optional: default: 'aes-256-gcm'
+  algorithm: 'aes-256-gcm',      // Optional: Default 'aes-256-gcm'
+  keyDerivation: 'basic',        // Optional: Default 'basic'
   secret: 'your-secret-key',     // Required: 8-255 characters
   expireIn: '1h',                // Required: Time string
   version: '1.0.0',              // Optional: Default '1.0.0'
@@ -120,29 +122,19 @@ const jwt = new SecureJWT({
 
 ### 🔧 Algorithm Options
 
-Choose the encryption algorithm that best fits your needs:
+| Value | Description |
+|-------|-------------|
+| `aes-256-gcm` | Hardware accelerated, industry standard, perfect for general purpose and enterprise applications |
+| `chacha20-poly1305` | Software optimized, 2-3x faster than AES, ideal for high-throughput and mobile applications |
 
-```javascript
-// AES-256-GCM (default) - Hardware accelerated, industry standard
-const jwtAES = new SecureJWT({
-  algorithm: 'aes-256-gcm',
-  secret: 'key',
-  expireIn: '1h'
-})
+### 🔑 Key Derivation Options
 
-// ChaCha20-Poly1305 - Maximum performance, 2-3x faster
-const jwtChaCha = new SecureJWT({
-  algorithm: 'chacha20-poly1305',
-  secret: 'key',
-  expireIn: '1h'
-})
-```
+| Value | Description |
+|-------|-------------|
+| `basic` | Fast salt + secret concatenation, perfect for high-performance applications |
+| `pbkdf2` | Secure 50K iterations with SHA-256, ideal for enterprise and high-security applications |
 
-**Algorithm Comparison:**
-- **AES-256-GCM**: Hardware accelerated, widely supported, industry standard
-- **ChaCha20-Poly1305**: Software optimized, 2-3x faster, perfect for high-throughput applications
-
-### Time Format
+### ⏰ Time Format
 
 ```javascript
 // Supported formats
@@ -164,12 +156,10 @@ const jwtChaCha = new SecureJWT({
 ```javascript
 new SecureJWT(options: JWTOptions)
 ```
-**Available Algorithm:**
-- `aes-256-gcm`
-- `chacha20-poly1305`
 
 **Options:**
 - `algorithm?:` - Encryption algorithm (default: 'aes-256-gcm')
+- `keyDerivation?:` - Key derivation method (default: 'basic')
 - `secret: string` - Secret key (8-255 chars, required for security)
 - `expireIn: string` - Token expiration time (required for security)
 - `version?: string` - Token version (default: '1.0.0')
@@ -218,122 +208,10 @@ try {
 ---
 
 ## 🏗️ Architecture
+For detailed architecture diagrams and technical implementation details, see [ARCHITECTURE.md](ARCHITECTURE.md).
 
-### 🔄 Complete Data Flow
-
-> This diagram shows the complete JWT workflow from data input to output. The **Sign** process creates encrypted tokens and stores them in cache, while **Verify** operations check cache first for 1,600x performance boost. **Decode** extracts raw data without verification, and **Cache Management** ensures memory efficiency with LRU eviction and TTL expiration.
-
-```mermaid
-graph TD
-    A[User Data] --> B[Sign Request]
-    B --> C[Create Payload]
-    C --> D[Multi Algorithm Encryption]
-    D --> E[Generate Token]
-    E --> F[Store in Cache]
-    F --> G[Return Token]
-    
-    H[Token Verification] --> I{Cache Hit?}
-    I -->|Yes| J[Return Cached Data]
-    I -->|No| K[Decrypt Token]
-    K --> L[Validate Integrity]
-    L --> M[Store in Cache]
-    M --> N[Return Decoded Data]
-    
-    O[Token Decode] --> P[Extract Payload]
-    P --> Q[Return Raw Data]
-    
-    R[Cache Management] --> S[LRU Eviction]
-    S --> T[TTL Expiration]
-    T --> U[Memory Limit 10K]
-    
-    style A fill:#e1f5fe,color:#000
-    style G fill:#c8e6c9,color:#000
-    style J fill:#c8e6c9,color:#000
-    style N fill:#c8e6c9,color:#000
-    style Q fill:#c8e6c9,color:#000
-    style I fill:#fff9c4,color:#000
-    style F fill:#e8f5e8,color:#000
-    style M fill:#e8f5e8,color:#000
-    style R fill:#f3e5f5,color:#000
-```
-
----
-
-### 🔐 JWT Encoding Process
-
-> This diagram details the token creation process with **multi-algorithm encryption**. Each token gets a **random IV** for uniqueness, **version-based AAD** for compatibility, and **authentication tags** for tamper detection. The **caching system** stores encrypted tokens for instant retrieval, providing massive performance improvements for repeated verifications.
-
-```mermaid
-graph TD
-    A[User Data] --> B[Create Payload]
-    B --> C[Add Timestamps & Version]
-    C --> D[JSON Stringify Payload]
-    D --> E[Generate Random IV]
-    E --> F[Multi Algorithm Encryption]
-    F --> G[Create Token Structure]
-    G --> H[Base64 Encode]
-    H --> I[Secure JWT Token]
-    I --> J[Store in Cache]
-    J --> K[LRU Eviction Check]
-    K --> L[TTL Expiration]
-
-    M[Secret Key] --> N[Key Preparation]
-    N --> F
-    O[Random Salt] --> N
-
-    P[Version] --> Q[Additional
-    Authenticated Data]
-    Q --> F
-
-    F --> R[Authentication Tag]
-    R --> G
-
-    S[Cache Hit?] --> T[Return Cached Data]
-    S --> U[Decrypt & Cache]
-    U --> V[Return Decrypted Data]
-
-    style A fill:#e1f5fe,color:#000
-    style I fill:#c8e6c9,color:#000
-    style F fill:#fff3e0,color:#000
-    style M fill:#fce4ec,color:#000
-    style J fill:#e8f5e8,color:#000
-    style S fill:#fff9c4,color:#000
-```
-
----
-
-### 🛡️ Security Layers
-
-> This diagram illustrates the security-focused verification process. **Cache validation** provides the first security layer, preventing DoS attacks through performance optimization. **Decryption** uses the secret key and random IV, while **integrity checks** verify authentication tags. The **caching system** acts as both a performance and security feature, ensuring fast and secure token validation.
-
-```mermaid
-graph LR
-    A[Input Token] --> B[Cache Validation]
-    B --> C[Validation Layer]
-    C --> D[Decryption Layer]
-    D --> E[Integrity Check]
-    E --> F[Decoded Data]
-    
-    B --> G[Cache Hit]
-    G --> F
-    
-    H[Cache Miss] --> C
-    C --> I[Store in Cache]
-    I --> F
-
-    J[Secret Key] --> D
-    K[Random IV] --> D
-    L[Version AAD] --> D
-    M[Auth Tag] --> E
-
-    style B fill:#e8f5e8,color:#000
-    style C fill:#ffebee,color:#000
-    style D fill:#fff3e0,color:#000
-    style E fill:#f3e5f5,color:#000
-    style F fill:#e1f5fe,color:#000
-    style G fill:#c8e6c9,color:#000
-    style I fill:#fff9c4,color:#000
-```
+## ⚡ Performance  
+For detailed benchmark results and performance metrics, see [BENCHMARK.md](BENCHMARK.md).
 
 ---
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@neabyte/secure-jwt",
   "description": "Secure JWT with AES-256-GCM & ChaCha20-Poly1305 encryption, built-in caching, tamper detection, and TypeScript support",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",

src/algorithms/AES256.ts

@@ -4,7 +4,7 @@ import type { TokenEncrypted, EncryptionAlgo, IEncryptionAlgo } from '@interface
 
 /**
  * AES-256-GCM encryption class
- * Provides encryption and decryption using AES-256-GCM algorithm
+ * Handles encryption and decryption using AES-256-GCM algorithm
  */
 export default class AES256 implements IEncryptionAlgo {
   /** Algorithm name constant */

src/algorithms/ChaCha20.ts

@@ -4,7 +4,7 @@ import type { TokenEncrypted, EncryptionAlgo, IEncryptionAlgo } from '@interface
 
 /**
  * ChaCha20-Poly1305 encryption class
- * Provides encryption and decryption using ChaCha20-Poly1305 algorithm
+ * Handles encryption and decryption using ChaCha20-Poly1305 algorithm
  */
 export default class ChaCha20 implements IEncryptionAlgo {
   /** Algorithm name constant */