RS256 (RSA-SHA256)
RS256 signs JWTs with an RSA private key and verifies with the corresponding public key. Only the auth service needs the private key; other services verify using the public key or JWKS endpoint.
When to Use
Use RS256 in microservices, third-party token verification, and when you cannot distribute a shared secret to all consumers. Common in OAuth2 providers and enterprise APIs.
Key Length Requirements
Use RSA keys of at least 2048 bits; 4096 bits for long-lived or high-security deployments. Export public keys via JWKS for verifiers.
Generate Keys
Recommended: 2048-bit
Open Rsa Key GeneratorRelated Comparisons
Related Terms
Frequently Asked Questions
Can I verify RS256 in the browser validator?
Our JWT Validator supports HS256 verification. RS256 verification requires your public key in code or a JWKS endpoint.
How do I distribute the public key?
Publish a JWKS endpoint at /.well-known/jwks.json or embed the PEM public key in each verifying service.