HS256 is the most widely used signing algorithm in the JWT ecosystem.

If you've ever generated a JWT using a library such as jsonwebtoken, jose, or an authentication provider, there's a good chance you've already used HS256.

It is simple, fast, and easy to implement, making it an excellent choice for many applications.

However, HS256 is also frequently misunderstood. Many JWT vulnerabilities are not caused by weaknesses in the algorithm itself, but by poor secret management and incorrect implementation.

This chapter explains how HS256 works, when it should be used, and when another algorithm may be a better choice.


What Does HS256 Mean?

The name HS256 can be broken into two parts.

More formally:

HS256 = HMAC-SHA256

HS256 uses a shared secret to both sign and verify JWTs.

This makes it a symmetric signing algorithm.


Symmetric Cryptography

With symmetric cryptography, both parties use the same secret key.

            Shared Secret
                 │
        ┌────────┴────────┐
        ▼                 ▼
      Sign             Verify

The server signs the JWT using the secret.

Later, the same secret is used to verify the signature.