ES256 (ECDSA-SHA256)
ES256 is an asymmetric JWT algorithm using ECDSA with the P-256 curve and SHA-256. It produces smaller signatures than RS256 while offering comparable security with shorter keys. The private key signs tokens; verifiers use the corresponding public key. ES256 is increasingly popular in mobile, IoT, and cloud identity providers that prioritize compact tokens and fast verification. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail. Document expected behavior for client teams so tokens are issued, stored, and validated consistently across services.
Why It Matters
ES256 reduces token size versus RS256, which matters for cookies and bandwidth-constrained clients. It requires careful handling of ECDSA signature malleability and correct curve parameters. Publish public keys via JWKS with crv, x, and y coordinates for interoperable verification. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.
Code Example
{
"alg": "ES256",
"typ": "JWT",
"kid": "ec-prod-1"
}Related Terms
Related Comparisons
Algorithm Guides
Related Tools
Related Articles
Frequently Asked Questions
ES256 vs RS256?
ES256 produces smaller signatures with shorter keys. RS256 has broader legacy support. Both are production-grade asymmetric choices. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.
What curve does ES256 use?
P-256 (also called secp256r1 or prime256v1). Using the wrong curve breaks verification. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.
Can I use ES256 with HS256 secrets?
No. ES256 requires an EC key pair. Mixing symmetric and asymmetric material causes verification failures. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.