HS256 vs RS256 — JWT Signing Algorithms Compared
Choosing between HS256 (HMAC) and RS256 (RSA) is one of the most important decisions when implementing JWT authentication. Each algorithm has different security properties, key management requirements, and performance characteristics.
JWT Builder
Build and sign JSON Web Tokens with custom claims and your choice of HMAC, RSA, or ECDSA algorithms. All signing happens in your browser.
The secret is used to sign the token. Keep it safe — never share production secrets.
Standard Claims
Custom Claims
No custom claims. Click "Add Claim" to add key-value pairs.
Payload Preview
{
"iat": 1773924504,
"exp": 1773928104
}Algorithm Reference
HMAC (symmetric)
HS256 / HS384 / HS512
Shared secret key. Simple setup. Both signer and verifier need the same key.
RSA (asymmetric)
RS256 / RS384 / RS512
Public/private key pair. Private key signs, public key verifies. Most common in production.
ECDSA (asymmetric)
ES256 / ES384 / ES512
Elliptic curve keys. Smaller keys, same security as RSA. Faster verification.
Complement to JWT Decoder. Build tokens here, decode and inspect them there.
HS256 — symmetric signing
HS256 uses HMAC with SHA-256, a symmetric algorithm where the same secret key signs and verifies the token. It is fast, simple to implement, and works well when the token issuer and verifier are the same service or share a trusted secret. The main risk is secret distribution — every service that needs to verify tokens must have the secret, and a leaked secret compromises all tokens.
RS256 — asymmetric signing
RS256 uses RSA with SHA-256, an asymmetric algorithm with a private key for signing and a public key for verification. The private key stays with the issuer (auth server), while verifiers only need the public key. This is ideal for microservices and third-party integrations because the public key can be freely distributed without compromising token security. The trade-off is larger token size (~256 bytes for the signature vs ~32 bytes for HS256) and slower signing.
When to use which
Use HS256 for monolithic applications where the same service issues and verifies tokens, internal tools with a single trusted secret, and when simplicity and performance matter most. Use RS256 for microservice architectures where multiple services verify tokens, OAuth 2.0 and OpenID Connect implementations, public APIs where clients need to verify tokens without a shared secret, and JWKS (JSON Web Key Set) rotation scenarios.
Frequently Asked Questions
Is RS256 more secure than HS256?
Not inherently — both are secure when used correctly. RS256 has better key management properties because the verification key (public) cannot be used to forge tokens. HS256 is equally secure cryptographically but requires careful secret distribution. The "alg: none" attack and key confusion attacks are implementation bugs, not algorithm weaknesses.
Can I switch from HS256 to RS256 without breaking existing tokens?
No. Tokens signed with HS256 cannot be verified with an RS256 public key, and vice versa. To migrate, issue new tokens with RS256 while continuing to verify old HS256 tokens during a transition period. Set short expiration times on HS256 tokens to speed up the migration.
What about ES256 (ECDSA)?
ES256 uses Elliptic Curve Digital Signatures, offering the same asymmetric benefits as RS256 with smaller keys and signatures. An ES256 signature is ~64 bytes vs ~256 bytes for RS256. It is increasingly preferred for new implementations, especially in mobile and IoT where bandwidth matters.
Related Generate Tools
Privacy Policy Generator
Generate a customized privacy policy with GDPR, CCPA, cookies, analytics, and payment sections
JSON Mock Data Generator
Generate realistic fake JSON data for API testing with 30+ field types, preset templates, and schema builder
README Generator
Generate professional GitHub README.md files with badges, installation steps, usage examples, and more
robots.txt Generator
Generate robots.txt files with crawl rules for Googlebot, Bingbot, AI bots, and more — presets included