Auth0 Home Blog Docs

Which algorithm is best for security?

tier1
go
algorithm

#1

Hello,
I have a backend application in go and I am using jwt authentication method for my api’s.
I have two questions:

  1. Which one the best algorithm for
    secure an api HS256 or RS256
  2. I have created an api using the RS256 algorithm method. When I decode the token string in the Debugger then it decode all the values including the signature then how it is secure?

Also When I decode the token It given the invalid signature error although all the decoded values match with my original values.


#2

You might want to go through the following links for information on both the algorithms, comparison between the two and the best security practices:


#3

In addition to the documentation pointed in the other answer, you mentioned the use of Go and a problem validating the token. There as an issue with a Go library for JWT that would validate that the audience of the token was exactly the same as the one configured which could be a problem in some situation where multiple audiences were present. You can find more information here.

Another thing to have in mind is that a signed JWT can be represented as multiple base64url-encoded parts separated by a dot character and decoding the base64url data does not by itself guarantee any sort of assurance. In particular, if you need to ensure the token comes from a trusted party you’ll need to validate the signature and not just decode the base64url data.


#4

You might want to go through the following links for information on both the algorithms, comparison between the two and the best security practices:


#5

Thanks you for your answer!!


#6

Thank you for your reply on my question.


#7