RS256 (RSA-SHA256)

RS256 signs JWTs with an RSA private key and verifies with the corresponding public key. Only the auth service needs the private key; other services verify using the public key or JWKS endpoint.

When to Use

Use RS256 in microservices, third-party token verification, and when you cannot distribute a shared secret to all consumers. Common in OAuth2 providers and enterprise APIs.

Key Length Requirements

Use RSA keys of at least 2048 bits; 4096 bits for long-lived or high-security deployments. Export public keys via JWKS for verifiers.

Generate Keys

Recommended: 2048-bit

Open Rsa Key Generator
Read full glossary definition: RS256 (RSA-SHA256)

Related Comparisons

Related Terms

Frequently Asked Questions

Can I verify RS256 in the browser validator?

Our JWT Validator supports HS256 verification. RS256 verification requires your public key in code or a JWKS endpoint.

How do I distribute the public key?

Publish a JWKS endpoint at /.well-known/jwks.json or embed the PEM public key in each verifying service.