JWT signing: HS256 vs. RS256

With the goal of increasing flexibility for our customers, AuthRocket has added support for JWT signing using the RS256 asymmetric algorithm. We've always offered the HS256 symmetric algorithm, which remains the default.

What's the difference?

HS256 is a symmetric algorithm, meaning there is one secret key shared between AuthRocket and the recipient of the token. The same key is used to both create the signature and to validate it. This key must be kept secret at all times.

If you are developing the app that is receiving the tokens, then you should use HS256. It is more secure, faster, and the token is smaller.

RS256 is an asymmetric algorithm, meaning it uses a public/private key pair. AuthRocket uses the private key for signing and provides you the public key to use to validate the signature.

If you don't have control over the app/client receiving the tokens, then RS256 is a good choice. The key can be used in a browser or mobile app, doesn't have to be secure, and can be shared without compromising security.

We still recommend using a symmetric algorithm any time it's possible since it produces smaller tokens and signs faster. Accordingly, HS256 remains the default, but now you have an alternative for when HS256 isn't right for you.

Details here.

Having trouble deciding which is best for your app?  Tell us a little about your project.  We'd love to help.