RS256 vs HS256 What's the difference?

Learn the difference between RS256 and HS256 JWT signing algorithms.
Read more…

:writing_hand:t2: Brought to you by @william.johnson

3 Likes

What are you thoughts guys? Share it in the comments!

3 Likes

Hi there,

I believe that elements of this blog are incorrect. For example, the blog states:

NOTE: In both cases, a third party could potentially find your secret key and generate a JWT that would be considered valid for your application. Verifiers (applications) of tokens have the same key that signs a JWT, which increases the risk of being exposed to a third party. You would need to take caution to protect the key from being compromised, such as putting the secret in a secure secrets store, limiting access to the secret, etc.

This note refers to both the HS265 and RS265 algorithms. In the case of the RS256 algorithm, the verifier should not have the private key that signs a JWT. It would only need to have the public key.

Also, the screenshot of jwt.io also shows the use of a private key, but this isn’t required to verify the signature. It is only used if you want to edit the JWT in the tool.

Would it be possible to update this blog to ensure it is accurate?

@william.johnson @robertino.calcaterra can you guys address the above message? Thank you!

Welcome Stu,

Thank you for pointing this out. We will get it corrected.

1 Like