JWT Algorithms Explained

A comprehensive guide to JWT signing algorithms and how to choose the right one

Quick Reference

AlgorithmTypeKey TypeBest For
HS256HMACShared secretSingle server, simple apps
HS384HMACShared secretHigher security needs
HS512HMACShared secretMaximum HMAC security
RS256RSAPublic/PrivateOAuth, OpenID Connect
RS384RSAPublic/PrivateHigher security RSA
RS512RSAPublic/PrivateMaximum RSA security
ES256ECDSAPublic/PrivateModern apps, mobile
ES384ECDSAPublic/PrivateHigher security ECDSA
ES512ECDSAPublic/PrivateMaximum ECDSA security

HMAC Algorithms (HS256, HS384, HS512)

HMAC (Hash-based Message Authentication Code) algorithms use a shared secret key for both signing and verification. The same secret must be known by both the token issuer and the verifier.

How HMAC Works

HMAC combines a cryptographic hash function (SHA-256, SHA-384, or SHA-512) with a secret key:

signature = HMAC-SHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

HS256 (HMAC-SHA256)

The most commonly used symmetric algorithm. Uses SHA-256 hash function, providing 128 bits of security.

  • Fast and efficient
  • 256-bit hash output
  • Widely supported
  • Recommended minimum secret length: 32 bytes (256 bits)

HS384 (HMAC-SHA384)

Uses SHA-384 hash function for increased security. Provides 192 bits of security.

  • 384-bit hash output
  • Slightly slower than HS256
  • Recommended minimum secret length: 48 bytes (384 bits)

HS512 (HMAC-SHA512)

Uses SHA-512 hash function for maximum security. Provides 256 bits of security.

  • 512-bit hash output
  • Highest security HMAC option
  • Recommended minimum secret length: 64 bytes (512 bits)

When to use HMAC: Best for single-server applications or when the same entity both signs and verifies tokens. Not ideal for distributed systems where you don't want to share the secret key.

RSA Algorithms (RS256, RS384, RS512)

RSA algorithms use asymmetric cryptography with a public/private key pair. The private key signs tokens, and the public key verifies them. This allows anyone to verify tokens without being able to create them.

How RSA Signing Works

RSA uses RSASSA-PKCS1-v1_5 signature scheme:

  1. Hash the message (header.payload) using SHA-256/384/512
  2. Sign the hash with the private key
  3. Verify the signature using the public key

RS256 (RSA-SHA256)

The industry standard for OAuth 2.0 and OpenID Connect. Uses RSA with SHA-256 hash.

  • Recommended key size: 2048 bits (minimum)
  • Widely used in enterprise applications
  • Public keys can be safely distributed (JWKS)
  • Larger signatures than HMAC (~342 bytes for 2048-bit key)

RS384 (RSA-SHA384)

RSA with SHA-384 hash for enhanced security requirements.

  • Recommended key size: 3072 bits or higher
  • Used for higher security requirements

RS512 (RSA-SHA512)

RSA with SHA-512 hash for maximum security.

  • Recommended key size: 4096 bits
  • Maximum security RSA option
  • Larger computation overhead

When to use RSA: Ideal for OAuth 2.0, OpenID Connect, and any scenario where multiple parties need to verify tokens without having access to the signing key. Perfect for microservices and distributed systems.

ECDSA Algorithms (ES256, ES384, ES512)

ECDSA (Elliptic Curve Digital Signature Algorithm) uses elliptic curve cryptographyfor asymmetric signing. It provides equivalent security to RSA with much smaller key sizes, resulting in smaller signatures and faster operations.

How ECDSA Works

ECDSA is based on the algebraic structure of elliptic curves over finite fields:

  • Uses specific curves (P-256, P-384, P-521)
  • Smaller keys for equivalent security
  • Faster signature generation and verification

ES256 (ECDSA P-256)

Uses the NIST P-256 curve (also known as secp256r1 or prime256v1) with SHA-256.

  • 256-bit key size (equivalent to ~3072-bit RSA)
  • 128-bit security level
  • 64-byte signature (much smaller than RSA)
  • Widely supported in modern systems

ES384 (ECDSA P-384)

Uses the NIST P-384 curve with SHA-384.

  • 384-bit key size
  • 192-bit security level
  • 96-byte signature

ES512 (ECDSA P-521)

Uses the NIST P-521 curve with SHA-512. Note: ES512 uses P-521, not P-512.

  • 521-bit key size
  • 256-bit security level
  • 132-byte signature
  • Maximum ECDSA security

When to use ECDSA: Modern choice for new applications. Great for mobile and IoT where bandwidth and processing power are limited. ES256 is increasingly recommended over RS256 for new projects.

Algorithm Comparison

Signature Sizes

  • HS256: 32 bytes (256 bits)
  • RS256 (2048-bit key): 256 bytes
  • ES256: 64 bytes

Performance

General performance ranking (fastest to slowest):

  1. HMAC (HS256/384/512) — Fastest for both signing and verification
  2. ECDSA (ES256/384/512) — Fast, especially ES256
  3. RSA (RS256/384/512) — Slower, especially with larger keys

Security Equivalence

Security LevelHMACRSA Key SizeECDSA Curve
128 bitsHS2563072 bitsP-256 (ES256)
192 bitsHS3847680 bitsP-384 (ES384)
256 bitsHS51215360 bitsP-521 (ES512)

How to Choose the Right Algorithm

Choose HMAC (HS256) when:

  • Single server/application signs and verifies tokens
  • You control both the issuer and verifier
  • Maximum performance is critical
  • Secret key can be securely shared

Choose RSA (RS256) when:

  • Building OAuth 2.0 or OpenID Connect systems
  • Multiple services need to verify tokens
  • You need to publish public keys (JWKS)
  • Enterprise requirements mandate RSA

Choose ECDSA (ES256) when:

  • Building modern, new applications
  • Token size matters (mobile, IoT)
  • Performance with asymmetric keys is important
  • You want future-proof security

Verify Your JWT Signatures

Our decoder supports all algorithms: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512.

Go to JWT DecoderRead JWT Guide