Aarunya AppsAarunya Apps

PS384 JWT Algorithm

PS384 combines RSA-PSS padding with SHA-384 hashing. Provides the improved security properties of RSA-PSS over PKCS#1 v1.5, with a 384-bit hash output. Used when compliance policies specifically require SHA-384.

Family
RSA-PSS
Hash
SHA-384
Key type
asymmetric
Performance
Slow (1–10ms)

Key Requirements

RSA key pair of at least 2048 bits. RSA-3072 recommended to maintain consistent security level with SHA-384.

JWT Header

Every JWT using PS384 has this header (base64url-encoded as the first segment):

{
  "alg": "PS384",
  "typ": "JWT"
}

Code Examples

Node.js — Sign (jose library)
import { SignJWT, importPKCS8 } from 'jose'

const privateKey = await importPKCS8(process.env.RSA_PRIVATE_KEY!, 'PS384')

export async function signToken(payload: Record<string, unknown>) {
  return new SignJWT(payload)
    .setProtectedHeader({ alg: 'PS384' })
    .setIssuedAt()
    .setExpirationTime('1h')
    .sign(privateKey)
}
Node.js — Verify (jose library)
import { jwtVerify, importSPKI } from 'jose'

const publicKey = await importSPKI(process.env.RSA_PUBLIC_KEY!, 'PS384')

export async function verifyToken(token: string) {
  const { payload } = await jwtVerify(token, publicKey, { algorithms: ['PS384'] })
  return payload
}
Python — PyJWT
import jwt
from cryptography.hazmat.primitives import serialization

with open("private.pem", "rb") as f:
    private_key = serialization.load_pem_private_key(f.read(), password=None)
with open("public.pem", "rb") as f:
    public_key = serialization.load_pem_public_key(f.read())

token = jwt.encode({"sub": "1234"}, private_key, algorithm="PS384")
payload = jwt.decode(token, public_key, algorithms=["PS384"])

When to Use PS384

Compliance scenarios requiring both RSA-PSS and SHA-384. In practice, PS256 or PS512 are more commonly specified.

Security Considerations

RSA-PSS is provably secure. Salt length should equal hash output (48 bytes for SHA-384). Same key management considerations as PS256.

Related Algorithms

Standardised in RFC 7518 §3.5 — JSON Web Algorithms (JWA).

Decode a real JWT

Paste any JWT into the debugger to inspect the header, payload, and verify an PS384 signature.

Open JWT Debugger

Frequently Asked Questions

Why should I use PS256 instead of RS256?

RSA-PSS (PS256/PS384/PS512) uses probabilistic padding that is provably secure under the random oracle model. RS256's PKCS#1 v1.5 padding has known theoretical vulnerabilities (Bleichenbacher's attack). For new systems, PS256 is preferable to RS256 while reusing the same key infrastructure.

Can existing RS256 keys be reused for PS256?

Yes. PS256 uses the same RSA key format as RS256. You can migrate from RS256 to PS256 by changing the 'alg' field in the JWT header and updating your signing code — no key rotation required.

What salt length should I use with RSA-PSS?

The salt length should equal the hash output length: 32 bytes for PS256 (SHA-256), 48 bytes for PS384, 64 bytes for PS512. This maximises the security proof. The jose library uses the correct salt length by default.