JWT HS256 vs RS256

HS256 signs with a shared secret (HMAC-SHA256). It is simple and fast but requires secure secret distribution to every verifier. Any holder of the secret can also mint tokens, which increases blast radius if a verifier is compromised.

RS256 uses an RSA private key for signing and a public key for verification. Publishers can expose a JWKS endpoint for key discovery and rotation via kid. Only the issuer holds the private key; verifiers keep public keys, reducing trust requirements across services and enabling safer multi-tenant/microservice deployments.

Operationally, enforce alg pinning, validate issuer and audience, and rotate keys regularly. For compact tokens in constrained environments, HS256 remains attractive; for distributed verification, RS256 usually wins.

Related tools

Try: JWT, HMAC-SHA256, RSA

FAQ

When should I prefer RS256 over HS256?

Use RS256 when multiple services verify tokens. You can publish a JWKS of public keys, avoiding secret sharing and simplifying rotation.

Is HS256 insecure?

HS256 is secure if keys are long and kept secret. Risks arise from secret distribution, weak keys, and misconfiguration. Limit who can sign and verify.