I like the idea of having one service to decode (createToken) and encode the tokens.
http://codereview.appspot.com/975043/diff/1/2 File java/common/src/main/java/org/apache/shindig/auth/BlobCrypterSecurityTokenDecoder.java (right): http://codereview.appspot.com/975043/diff/1/2#newcode122 java/common/src/main/java/org/apache/shindig/auth/BlobCrypterSecurityTokenDecoder.java:122: BlobCrypterSecurityToken t = (BlobCrypterSecurityToken)token; Since it is public function, I think it would be best to do safe casting here. http://codereview.appspot.com/975043/show
