Aller au contenu

Supported algorithms

Ce contenu n’est pas encore disponible dans votre langue.

JWTop supports all algorithm families defined by RFC 7518.

FamilyAlgorithmsKey type
HMACHS256, HS384, HS512Shared secret ([]byte)
RSA PKCS#1 v1.5RS256, RS384, RS512RSA private/public key
RSA-PSSPS256, PS384, PS512RSA private/public key
ECDSAES256, ES384, ES512EC private/public key
NonenoneNo key required

Choose HMAC (HS256 / HS384 / HS512) when:

  • The same service both issues and verifies tokens.
  • Simplicity and performance are priorities.
  • The secret can be stored securely on both sides.

Choose RSA or EC (RS256, ES256, …) when:

  • Multiple services need to verify tokens without access to the signing key.
  • You publish a JWKS endpoint for key discovery.
  • You need to rotate keys without sharing secrets.

ES256 vs RS256: ECDSA keys are smaller and operations are faster at equivalent security levels. Prefer ES256 for new deployments.

PS256 vs RS256: RSA-PSS (PS*) is more resistant to certain theoretical attacks than PKCS#1 v1.5 (RS*). Both are acceptable in practice.

Use standard tools to generate PEM key pairs:

Terminal window
# RSA 2048-bit
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem
# EC P-256 (for ES256)
openssl ecparam -name prime256v1 -genkey -noout -out private.pem
openssl ec -in private.pem -pubout -out public.pem
# EC P-384 (for ES384)
openssl ecparam -name secp384r1 -genkey -noout -out private.pem
openssl ec -in private.pem -pubout -out public.pem