HS256 (HMAC-SHA256)
HS256 is a symmetric JWT signing algorithm that uses HMAC with SHA-256. The same secret signs and verifies tokens, making it simple for monoliths and single-service APIs. It is the most common JWT algorithm for internal applications.
When to Use
Use HS256 when one service both issues and verifies tokens, you want minimal infrastructure overhead, and all verifiers can securely access the shared secret. Avoid sharing the secret across many microservices — consider RS256 instead.
Key Length Requirements
Minimum 256 bits (32 bytes) for the HMAC secret. Use cryptographically random bytes, not passphrases. HS384 and HS512 require proportionally longer secrets.
Generate Keys
Recommended: 256-bit
Open Jwt Secret GeneratorRelated Comparisons
Related Terms
Frequently Asked Questions
Is HS256 still secure?
Yes, with a 256-bit random secret and proper validation. Weak or leaked secrets are the primary risk, not the algorithm itself.
HS256 vs RS256?
HS256 uses one shared secret. RS256 uses a public/private key pair — better when multiple services verify tokens without access to the signing key.