RS256 (RSA-SHA256)

RS256 is an asymmetric JWT signing algorithm. The authorization server signs tokens with a private RSA key; any service can verify with the public key without access to signing material. This isolates the signer from verifiers and enables JWKS (JSON Web Key Set) endpoints for key distribution. RS256 uses PKCS#1 v1.5 padding with SHA-256. Key sizes of 2048 bits or larger are recommended for production deployments. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail.

Why It Matters

Choose RS256 when multiple services verify tokens, third parties need to validate your JWTs, or you want to publish a public key without exposing the signer. The tradeoff is slower signing, more complex key management, and PEM/JWKS infrastructure. Pair RS256 with kid headers and a published JWKS endpoint for rotation. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.

Code Example

RS256 JWT header
{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "prod-rsa-1"
}

Related Terms

Related Comparisons

Algorithm Guides

Related Tools

Related Articles

Frequently Asked Questions

Does JWTSecrets support RS256 signing?

Browser tools support HS256 signing and RSA key generation. Use our RSA Key Generator for development keys; use your cloud KMS or HSM for production signing. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

What key size for RS256?

Use at least 2048-bit RSA keys; 4096-bit for long-lived or high-security deployments. Smaller keys are deprecated and easier to factor. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

RS256 vs PS256?

PS256 uses RSA-PSS padding, which is more modern. RS256 remains the most common asymmetric JWT algorithm in the wild. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.