Aarunya AppsAarunya Apps

PS512 JWT Algorithm

PS512 uses RSA-PSS with SHA-512 — the strongest RSA-family algorithm in RFC 7518. Combines RSA-PSS's improved, provably-secure padding with SHA-512's 512-bit output. For new high-security systems that must use RSA, PS512 is preferable to RS512.

Family
RSA-PSS
Hash
SHA-512
Key type
asymmetric
Performance
Slow (1–10ms)

Key Requirements

RSA key pair of at least 4096 bits to achieve SHA-512-tier security. RSA-2048 is technically accepted but creates a security level mismatch.

JWT Header

Every JWT using PS512 has this header (base64url-encoded as the first segment):

{
  "alg": "PS512",
  "typ": "JWT"
}

Code Examples

Node.js — Sign (jose library)
import { SignJWT, importPKCS8 } from 'jose'

const privateKey = await importPKCS8(process.env.RSA_PRIVATE_KEY!, 'PS512')

export async function signToken(payload: Record<string, unknown>) {
  return new SignJWT(payload)
    .setProtectedHeader({ alg: 'PS512' })
    .setIssuedAt()
    .setExpirationTime('1h')
    .sign(privateKey)
}
Node.js — Verify (jose library)
import { jwtVerify, importSPKI } from 'jose'

const publicKey = await importSPKI(process.env.RSA_PUBLIC_KEY!, 'PS512')

export async function verifyToken(token: string) {
  const { payload } = await jwtVerify(token, publicKey, { algorithms: ['PS512'] })
  return payload
}
Python — PyJWT
import jwt
from cryptography.hazmat.primitives import serialization

with open("private.pem", "rb") as f:
    private_key = serialization.load_pem_private_key(f.read(), password=None)
with open("public.pem", "rb") as f:
    public_key = serialization.load_pem_public_key(f.read())

token = jwt.encode({"sub": "1234"}, private_key, algorithm="PS512")
payload = jwt.decode(token, public_key, algorithms=["PS512"])

When to Use PS512

Maximum RSA security for government, financial, and FIPS-140 environments. For typical API authentication, PS256 or ES256 provides adequate security with better performance.

Security Considerations

RSA-PSS is preferable to PKCS#1 v1.5 for all new RSA signing. Salt length should equal hash output (64 bytes for SHA-512). RSA-4096 key generation is slow but only happens once.

Related Algorithms

Standardised in RFC 7518 §3.5 — JSON Web Algorithms (JWA).

Decode a real JWT

Paste any JWT into the debugger to inspect the header, payload, and verify an PS512 signature.

Open JWT Debugger

Frequently Asked Questions

Why should I use PS256 instead of RS256?

RSA-PSS (PS256/PS384/PS512) uses probabilistic padding that is provably secure under the random oracle model. RS256's PKCS#1 v1.5 padding has known theoretical vulnerabilities (Bleichenbacher's attack). For new systems, PS256 is preferable to RS256 while reusing the same key infrastructure.

Can existing RS256 keys be reused for PS256?

Yes. PS256 uses the same RSA key format as RS256. You can migrate from RS256 to PS256 by changing the 'alg' field in the JWT header and updating your signing code — no key rotation required.

What salt length should I use with RSA-PSS?

The salt length should equal the hash output length: 32 bytes for PS256 (SHA-256), 48 bytes for PS384, 64 bytes for PS512. This maximises the security proof. The jose library uses the correct salt length by default.