HS256 (HMAC-SHA256)

HS256 is a JWT signing algorithm that combines HMAC with the SHA-256 hash function. A single shared secret signs and verifies tokens. HS256 is the most common symmetric JWT algorithm — fast, simple, and secure when the secret is properly generated and stored. The recommended minimum secret size is 256 bits. The alg header must be HS256 and verifiers must reject tokens signed with unexpected algorithms to prevent confusion attacks. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail.

Why It Matters

Most monoliths and small APIs use HS256 by default. Choosing HS256 means every service that verifies tokens needs access to the signing secret, which is fine for single-service architectures but becomes a coordination problem at scale. Compare with RS256 when multiple microservices need to verify tokens without sharing private signing material. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.

Code Example

HS256 JWT header
{
  "alg": "HS256",
  "typ": "JWT",
  "kid": "2024-01"
}

Related Terms

Related Comparisons

Algorithm Guides

Related Tools

Related Articles

Frequently Asked Questions

Is HS256 secure?

Yes, with a 256-bit random secret and proper validation. The weak link is usually secret storage and algorithm enforcement, not the algorithm itself. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

HS256 vs HS512?

HS512 uses SHA-512 internally and recommends a 512-bit secret. HS256 is sufficient for most production apps and is more widely supported. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

Can browsers sign HS256 JWTs safely?

Signing in the browser exposes the secret to users. Only sign server-side; browsers should receive already-issued tokens. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.