HS256 vs RS256 for JWT signing
July 5, 2026 · 16 min read
Choosing between HS256 (HMAC with shared secret) and RS256 (RSA with private/public key pair) shapes how you rotate keys, how microservices verify tokens, and what happens if a verifier leaks material. Both are widely supported; the decision is operational as much as cryptographic.
HS256 symmetric signing
One secret signs and verifies. Setup is simple for a monolith or single API. Risk: every service that verifies must hold the full secret - leak anywhere compromises the entire system. Use HS256 when only the auth server verifies its own tokens and the secret lives in a hardened secret manager.
Issuer: HMAC-SHA256(signing_input, SECRET)
Verifier: HMAC-SHA256(signing_input, SECRET) # same SECRET
RS256 asymmetric signing
The authorization server signs with a private key; resource servers verify with the public key only. Public keys can ship via JWKS URL without exposing signing capability. RSA-2048 or larger is typical; ES256 (ECDSA) offers smaller tokens with different curve math.
// JWKS excerpt (public keys only)
{
"keys": [{
"kty": "RSA",
"kid": "prod-2026-06",
"use": "sig",
"alg": "RS256",
"n": "...",
"e": "AQAB"
}]
}
Tradeoffs at a glance
- Key distribution - HS256 shares one secret; RS256 distributes public keys safely.
- Performance - HS256 is faster; RS256 cost is usually negligible vs network RTT.
- Blast radius - HS256 leak forges tokens; RS256 public key leak does not.
- Complexity - RS256 needs PEM management, JWKS, and kid rotation discipline.
JWKS and key rotation
Publish keys at /.well-known/jwks.json. Add new kid, sign new tokens with it, keep old public keys until all outstanding tokens expire, then remove. Validate PEM files before deploy with a PEM validator. Never commit private keys to git.
Migrating from HS256 to RS256
Run dual verification during transition: accept both algorithms with separate keys for a bounded period, issue only RS256 for new sessions, and shorten access token TTL to flush HS256 tokens. Update API gateway allowlists and integration tests. Generate sample RS256 tokens in the JWT generator and verify with your public PEM.
FAQ
- Is RS256 always more secure than HS256?
- Not inherently. RS256 reduces risk when many verifiers exist. A strong HS256 secret used only on the issuer can be equally sound for monoliths.
- Can I switch alg without changing user sessions?
- Users need new tokens signed with the new alg. Plan overlap verification and session refresh.
- What about ES256?
- ES256 uses elliptic curves; smaller signatures, growing support. Same asymmetric model as RS256.
- Should API gateways terminate JWT verification?
- Often yes for RS256 with JWKS caching. Ensure gateways pin algorithms and respect kid rotation.
Related: JWT security mistakes · What is a JWT