PS256 (RSA-PSS-SHA256)
PS256 is an asymmetric JWT algorithm using RSA with PSS padding and SHA-256. PSS is a modern probabilistic signature scheme with tighter security proofs than PKCS#1 v1.5 used by RS256. PS256 is less ubiquitous than RS256 but preferred in some standards bodies and greenfield systems. Public keys distribute via JWKS like other RSA algorithms. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail. Document expected behavior for client teams so tokens are issued, stored, and validated consistently across services.
Why It Matters
Consider PS256 for new asymmetric deployments where all verifiers support it. Legacy gateways and older libraries may lack PS256 support — test before adopting. Algorithm choice must be enforced at verification time alongside RS256 and HS256 allowlists. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.
Code Example
{
"alg": "PS256",
"typ": "JWT",
"kid": "rsa-pss-1"
}Related Terms
Algorithm Guides
Related Tools
Related Articles
Frequently Asked Questions
PS256 vs RS256?
PS256 uses RSA-PSS padding; RS256 uses PKCS#1 v1.5. PS256 is more modern; RS256 has wider compatibility. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.
Can I use the same RSA key for PS256 and RS256?
Technically possible but not recommended. Use distinct keys and kid values per algorithm. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.
Is PS256 required for FAPI?
Some financial API profiles prefer PS256. Check your industry profile before choosing. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.