RS256 (RSA SHA-256) JWT Signing
Learn how RS256 (RSA SHA-256) JWT signing uses public/private key pairs, why it suits distributed systems, JWKS endpoints, and key rotation strategies.
Detailed Explanation
RS256 (RSASSA-PKCS1-v1_5 using SHA-256) is an asymmetric signing algorithm that uses an RSA key pair: a private key to create signatures and a corresponding public key to verify them. This separation of signing and verification capabilities makes RS256 the standard choice for distributed systems and third-party identity providers.
How RS256 signing works:
RSA_SIGN(
SHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload)),
privateKey
)
The server computes the SHA-256 hash of the encoded header and payload, then signs this hash using the RSA private key with PKCS#1 v1.5 padding. Verification uses the public key to check the signature against the hash. Only the holder of the private key can create valid signatures, but anyone with the public key can verify them.
Key management with JWKS:
Public keys are typically published via a JSON Web Key Set (JWKS) endpoint, conventionally located at {issuer}/.well-known/jwks.json. Verifying services fetch this endpoint to obtain the public keys. The JWT header includes a kid (key ID) field that indicates which key from the JWKS was used for signing. This supports key rotation: the issuer adds a new key to the JWKS, starts signing with the new key, and eventually removes the old key once all tokens signed with it have expired.
Key size and performance:
RSA keys for RS256 should be at least 2048 bits; 4096 bits is recommended for new deployments. Signing with RS256 is significantly slower than HS256 (roughly 10-100x depending on key size and hardware), but verification is fast. This asymmetry is acceptable because signing happens infrequently (at token issuance) while verification happens on every request.
Why RS256 is preferred for distributed systems:
In an architecture with one identity provider and many microservices, only the identity provider needs the private key. All other services only need the public key, which can be freely distributed without security risk. If a verifying service is compromised, the attacker cannot forge tokens because they do not have the private key. This is RS256's key advantage over HS256.
Use Case
An identity provider like Auth0 or Keycloak signs tokens with a private RSA key while publishing the public key via JWKS, allowing any microservice to verify tokens independently.