HS256 vs RS256: Which JWT Algorithm Should You Use?
The choice between HS256 and RS256 fundamentally affects your security architecture.
HS256 — HMAC with SHA-256
A symmetric algorithm — the same secret is used to both sign and verify tokens.
How it works:
HMAC-SHA256(base64url(header) + "." + base64url(payload), secret)Pros:
- Simple setup — one secret key
- Fast — pure software implementation
- Low overhead
Cons:
- Every service that verifies tokens must know the secret
- Compromising any verifier compromises the signer
- Difficult to rotate in distributed systems
Use when: You have a single service or a small number of tightly controlled services.
RS256 — RSA Signature with SHA-256
An asymmetric algorithm — a private key signs tokens, a public key verifies them.
How it works:
RSA-SHA256(base64url(header) + "." + base64url(payload), privateKey)
// Verification:
RSA-SHA256-verify(token, publicKey)Pros:
- Public key can be distributed safely
- Only the auth server holds the private key
- Easy to support multiple services/microservices
- Supports JWKS (JSON Web Key Sets) for automatic key distribution
Cons:
- More complex setup
- Slower than HMAC
- Larger key sizes
Use when: You have multiple services, microservices architecture, or third-party integrations.
Decision Matrix
| Criteria | HS256 | RS256 |
|---|---|---|
| Architecture | Monolith/simple | Microservices |
| Key distribution | Shared secret | Public key (safe to distribute) |
| Performance | Faster | Slower |
| Key rotation | All services update | Only auth server |
| Third-party verification | Hard | Easy (JWKS endpoint) |
Recommendation
For new projects with any microservices or external integrations: use RS256. The operational benefits outweigh the added complexity.