HS256 vs RS256: Which JWT Algorithm Should You Use?

When implementing JWT authentication, one of the most critical decisions is choosing the signing algorithm. The two most common choices are HS256 (HMAC with SHA-256) and RS256 (RSA Signature with SHA-256). Each has distinct characteristics that make it suitable for different scenarios.

What is HS256?

HS256 (HMAC-SHA256) is a symmetric algorithm, meaning it uses the same secret key for both signing and verification. The signature is created by hashing the header and payload with the secret key using HMAC.

// HS256 Signing Process
const crypto = require('crypto');

const header = Buffer.from(JSON.stringify({alg: 'HS256', typ: 'JWT'})).toString('base64url');
const payload = Buffer.from(JSON.stringify({sub: '123', name: 'John'})).toString('base64url');

const signature = crypto
  .createHmac('sha256', secretKey)
  .update(header + '.' + payload)
  .digest('base64url');

const token = header + '.' + payload + '.' + signature;

What is RS256?

RS256 is an asymmetric algorithm that uses a private key to sign tokens and a public key to verify them. This separation provides significant security advantages in distributed systems.

// RS256 Signing Process
const jwt = require('jsonwebtoken');
const privateKey = fs.readFileSync('./private.pem');
const publicKey = fs.readFileSync('./public.pem');

// Sign with private key
const token = jwt.sign({sub: '123', name: 'John'}, privateKey, {algorithm: 'RS256'});

// Verify with public key
const decoded = jwt.verify(token, publicKey, {algorithms: ['RS256']});

Key Differences

When to Use HS256

• Single-server applications - When one service both issues and verifies tokens
• Internal microservices - When all services can securely share the secret
• Performance-critical systems - When verification speed is critical
• Simple architectures - When you don't need public key distribution

Generate a secure HS256 secret key using our free tool.

When to Use RS256

• Microservice architectures - When multiple services need to verify tokens without sharing secrets
• Third-party integrations - When external systems need to verify your tokens
• Enterprise SSO - When you need key rotation without service disruption
• Public APIs - When clients need to verify tokens offline

Verify RS256 tokens using our JWT Validator.

Security Considerations

HS256 Security

• Use strong secrets (256+ bits from a secure random source)
• Never commit secrets to version control
• Rotate secrets periodically and after any suspected compromise
• Use different secrets for each environment

RS256 Security

• Use 2048-bit keys minimum (4096 bits for long-term security)
• Protect private keys with strong passphrases
• Use HSM or cloud KMS for production private keys
• Implement proper key rotation with kid claim

Common Vulnerabilities

Both algorithms have specific attack vectors you must address:

HS256 Attack: Weak Secrets

Attackers can brute-force weak secrets. Always use cryptographically secure random secrets.

RS256 Attack: Algorithm Confusion

If your verifier doesn't strictly check the algorithm, attackers can switch from RS256 to HS256 and use the public key as the HMAC secret.

// VULNERABLE: Don't do this
const decoded = jwt.verify(token, publicKey); // No algorithm check!

// SECURE: Always specify expected algorithms
const decoded = jwt.verify(token, publicKey, {algorithms: ['RS256']});

Recommendation

For most applications: Start with HS256 for simplicity. It's faster, tokens are smaller, and it's easier to implement correctly.

For distributed systems: Use RS256 when you need to distribute verification capability without sharing secrets, or when you need non-repudiation.

Tools

• JWT Secret Generator - Generate secure HS256 secrets
• JWT Validator - Verify and decode tokens
• RSA Key Generator - Generate RS256 key pairs