JWT Algorithms Reference
JWT algorithms are used for signing and encrypting tokens. This reference guide provides detailed information about the various algorithms supported by the JWT standard, their security characteristics, and recommendations for their use.
Algorithm Categories
JWT algorithms fall into several categories based on their purpose and cryptographic approach:
Signature Algorithms
Used to sign JWTs to ensure integrity and authenticity.
Encryption Algorithms
Used to encrypt JWTs to ensure confidentiality (JWE).
Key Management Algorithms
Used to encrypt or agree upon keys for JWE.
Signature Algorithms (JWS)
JSON Web Signature (JWS) algorithms are used to sign JWTs. The signature is created using the header and payload of the JWT, ensuring that the token hasn't been tampered with.
| Algorithm | Description | Key Type | Security Level | Recommended |
|---|---|---|---|---|
none |
No signature (unsecured JWT) | None | Very Low | Never use in production |
HS256 |
HMAC with SHA-256 | Symmetric | Medium | With strong secret |
HS384 |
HMAC with SHA-384 | Symmetric | High | With strong secret |
HS512 |
HMAC with SHA-512 | Symmetric | High | With strong secret |
RS256 |
RSASSA-PKCS1-v1_5 with SHA-256 | Asymmetric | High | Recommended |
RS384 |
RSASSA-PKCS1-v1_5 with SHA-384 | Asymmetric | High | Recommended |
RS512 |
RSASSA-PKCS1-v1_5 with SHA-512 | Asymmetric | High | Recommended |
ES256 |
ECDSA with P-256 and SHA-256 | Asymmetric | High | Recommended |
ES384 |
ECDSA with P-384 and SHA-384 | Asymmetric | High | Recommended |
ES512 |
ECDSA with P-521 and SHA-512 | Asymmetric | High | Recommended |
PS256 |
RSASSA-PSS with SHA-256 | Asymmetric | High | Recommended |
PS384 |
RSASSA-PSS with SHA-384 | Asymmetric | High | Recommended |
PS512 |
RSASSA-PSS with SHA-512 | Asymmetric | High | Recommended |
EdDSA |
Edwards-curve Digital Signature Algorithm | Asymmetric | High | Recommended |
Algorithm Characteristics
HMAC Algorithms (HS256, HS384, HS512)
- Type: Symmetric key algorithms
- Key Requirements: Same secret key for both signing and verification
- Advantages: Fast, simple implementation
- Disadvantages: Secret must be shared between all parties that sign or verify tokens
- Use Case: Single server environments or tightly controlled microservices
- Security Considerations: Secret must be strong and kept secure
RSA Algorithms (RS256, RS384, RS512)
- Type: Asymmetric key algorithms
- Key Requirements: Private key for signing, public key for verification
- Advantages: Public key can be distributed widely without compromising security
- Disadvantages: Slower than HMAC, larger signatures
- Use Case: Multi-server environments, public-facing APIs
- Security Considerations: Private key must be kept secure
ECDSA Algorithms (ES256, ES384, ES512)
- Type: Asymmetric key algorithms based on elliptic curves
- Key Requirements: Private key for signing, public key for verification
- Advantages: Smaller keys and signatures than RSA for equivalent security
- Disadvantages: Implementation complexity, potential patent issues in some jurisdictions
- Use Case: Mobile applications, environments with bandwidth constraints
- Security Considerations: Requires secure random number generation
RSASSA-PSS Algorithms (PS256, PS384, PS512)
- Type: Asymmetric key algorithms (improved RSA)
- Key Requirements: Private key for signing, public key for verification
- Advantages: More secure than RSASSA-PKCS1-v1_5 (RS*) against certain attacks
- Disadvantages: Less widely supported than RS* algorithms
- Use Case: High-security environments
- Security Considerations: Preferred over RS* when supported
EdDSA Algorithm
- Type: Asymmetric key algorithm based on Edwards curves
- Key Requirements: Private key for signing, public key for verification
- Advantages: Fast, secure, resistant to side-channel attacks
- Disadvantages: Newer, less widely supported
- Use Case: High-security environments, modern applications
- Security Considerations: Excellent security properties
Algorithm Selection Guidelines
Recommended Algorithms
For most applications, we recommend the following algorithms:
- Single-server applications: HS256 with a strong secret (at least 256 bits)
- Multi-server or public-facing applications: RS256, ES256, or PS256
- High-security applications: ES384, PS384, or EdDSA
Algorithms to Avoid
- none: Never use the "none" algorithm in production
- HS256 with weak secrets: Avoid using passwords, dictionary words, or short strings as secrets
Warning: Always ensure your JWT library explicitly rejects the "none" algorithm, as this is a common security vulnerability.
Key Size Recommendations
| Algorithm | Minimum Key Size | Recommended Key Size |
|---|---|---|
| HMAC (HS256, HS384, HS512) | Same as hash output length | ≥ 256 bits (32 bytes) |
| RSA (RS256, RS384, RS512, PS256, PS384, PS512) | 2048 bits | 3072 or 4096 bits |
| ECDSA (ES256) | P-256 (256 bits) | P-256 (256 bits) |
| ECDSA (ES384) | P-384 (384 bits) | P-384 (384 bits) |
| ECDSA (ES512) | P-521 (521 bits) | P-521 (521 bits) |
| EdDSA (Ed25519) | 255 bits | 255 bits |
Algorithm Implementation Examples
Node.js Example (jsonwebtoken library)
const jwt = require('jsonwebtoken');
// HS256 (HMAC with SHA-256)
const hmacSecret = 'your-strong-secret-key-at-least-32-characters';
const hmacToken = jwt.sign({ sub: 'user123' }, hmacSecret, { algorithm: 'HS256' });
// RS256 (RSA with SHA-256)
const privateKey = fs.readFileSync('private.key');
const rsaToken = jwt.sign({ sub: 'user123' }, privateKey, { algorithm: 'RS256' });
// ES256 (ECDSA with P-256 and SHA-256)
const ecPrivateKey = fs.readFileSync('ec-private.key');
const ecdsaToken = jwt.sign({ sub: 'user123' }, ecPrivateKey, { algorithm: 'ES256' });Python Example (PyJWT library)
import jwt
import datetime
# HS256 (HMAC with SHA-256)
hmac_secret = 'your-strong-secret-key-at-least-32-characters'
hmac_token = jwt.encode(
{'sub': 'user123', 'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1)},
hmac_secret,
algorithm='HS256'
)
# RS256 (RSA with SHA-256)
with open('private.key', 'r') as f:
private_key = f.read()
rsa_token = jwt.encode(
{'sub': 'user123', 'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1)},
private_key,
algorithm='RS256'
)Conclusion
Choosing the right JWT algorithm is crucial for the security of your application. Consider your specific requirements, security needs, and deployment environment when selecting an algorithm.
For most applications, asymmetric algorithms like RS256 or ES256 provide a good balance of security and usability. Always ensure you're using appropriate key sizes and following best practices for key management.