PS384 JWT Algorithm
PS384 combines RSA-PSS padding with SHA-384 hashing. Provides the improved security properties of RSA-PSS over PKCS#1 v1.5, with a 384-bit hash output. Used when compliance policies specifically require SHA-384.
Key Requirements
RSA key pair of at least 2048 bits. RSA-3072 recommended to maintain consistent security level with SHA-384.
JWT Header
Every JWT using PS384 has this header (base64url-encoded as the first segment):
{
"alg": "PS384",
"typ": "JWT"
}Code Examples
Node.js — Sign (jose library)
import { SignJWT, importPKCS8 } from 'jose'
const privateKey = await importPKCS8(process.env.RSA_PRIVATE_KEY!, 'PS384')
export async function signToken(payload: Record<string, unknown>) {
return new SignJWT(payload)
.setProtectedHeader({ alg: 'PS384' })
.setIssuedAt()
.setExpirationTime('1h')
.sign(privateKey)
}Node.js — Verify (jose library)
import { jwtVerify, importSPKI } from 'jose'
const publicKey = await importSPKI(process.env.RSA_PUBLIC_KEY!, 'PS384')
export async function verifyToken(token: string) {
const { payload } = await jwtVerify(token, publicKey, { algorithms: ['PS384'] })
return payload
}Python — PyJWT
import jwt
from cryptography.hazmat.primitives import serialization
with open("private.pem", "rb") as f:
private_key = serialization.load_pem_private_key(f.read(), password=None)
with open("public.pem", "rb") as f:
public_key = serialization.load_pem_public_key(f.read())
token = jwt.encode({"sub": "1234"}, private_key, algorithm="PS384")
payload = jwt.decode(token, public_key, algorithms=["PS384"])When to Use PS384
Compliance scenarios requiring both RSA-PSS and SHA-384. In practice, PS256 or PS512 are more commonly specified.
Security Considerations
RSA-PSS is provably secure. Salt length should equal hash output (48 bytes for SHA-384). Same key management considerations as PS256.
Related Algorithms
Standardised in RFC 7518 §3.5 — JSON Web Algorithms (JWA).
Decode a real JWT
Paste any JWT into the debugger to inspect the header, payload, and verify an PS384 signature.
Open JWT DebuggerFrequently Asked Questions
Why should I use PS256 instead of RS256?
RSA-PSS (PS256/PS384/PS512) uses probabilistic padding that is provably secure under the random oracle model. RS256's PKCS#1 v1.5 padding has known theoretical vulnerabilities (Bleichenbacher's attack). For new systems, PS256 is preferable to RS256 while reusing the same key infrastructure.
Can existing RS256 keys be reused for PS256?
Yes. PS256 uses the same RSA key format as RS256. You can migrate from RS256 to PS256 by changing the 'alg' field in the JWT header and updating your signing code — no key rotation required.
What salt length should I use with RSA-PSS?
The salt length should equal the hash output length: 32 bytes for PS256 (SHA-256), 48 bytes for PS384, 64 bytes for PS512. This maximises the security proof. The jose library uses the correct salt length by default.
