RSA Key Generator
Generate RSA public/private key pairs in PEM format for RS256 JWT signing.
Last updated July 1, 2026
How to Use This Tool
Select key size: 2048-bit for standard production use, 4096-bit for high-security or long-lived keys.
Click Generate to create an RSA key pair using the Web Crypto API in your browser.
Copy the public key PEM for verifiers and JWKS endpoints. Store the private key in a secrets manager — never commit it.
Use the private key with your JWT library to sign RS256 tokens.
Code Examples
const jwt = require('jsonwebtoken');
const fs = require('fs');
const privateKey = fs.readFileSync('private.pem');
const publicKey = fs.readFileSync('public.pem');
const token = jwt.sign({ sub: 'user-1' }, privateKey, { algorithm: 'RS256' });
jwt.verify(token, publicKey, { algorithms: ['RS256'] });Frequently Asked Questions
2048 vs 4096-bit RSA?
2048-bit is the industry standard for new keys. Use 4096-bit for high-security or compliance requirements mandating larger keys.
Can I use these keys for TLS?
These are RSA-OAEP keys for general cryptographic use. TLS certificates require a CA-signed X.509 certificate, not a raw PEM pair.
Where should I store the private key?
In a secrets manager (AWS Secrets Manager, Vault) or secure environment variable. Never commit private keys to git.
How do I generate an RSA key pair for JWT?
Select 2048 or 4096 bits, click Generate, and download the PEM private and public keys. Use the private key server-side to sign RS256 tokens; publish the public key via JWKS for verifiers.
What RSA key size should I use for RS256?
Use 2048-bit RSA keys for new deployments. Choose 4096 bits for long-lived roots or high-assurance compliance requirements. Avoid 1024-bit keys entirely.