Aarunya AppsAarunya Apps

RS384 JWT Algorithm

RS384 is the SHA-384 variant of RSA PKCS#1 JWT signing. Same asymmetric key-pair model as RS256 — private key to sign, public key to verify — with a 384-bit hash output. Chosen primarily when a security policy mandates SHA-384.

Family
RSA
Hash
SHA-384
Key type
asymmetric
Performance
Slow (1–10ms)

Key Requirements

RSA key pair of at least 2048 bits. RSA-3072 recommended for SHA-384-tier security to maintain consistent security levels across the hash and key.

JWT Header

Every JWT using RS384 has this header (base64url-encoded as the first segment):

{
  "alg": "RS384",
  "typ": "JWT"
}

Code Examples

Node.js — Sign (jose library)
import { SignJWT, importPKCS8 } from 'jose'

const privateKey = await importPKCS8(process.env.RSA_PRIVATE_KEY!, 'RS384')

export async function signToken(payload: Record<string, unknown>) {
  return new SignJWT(payload)
    .setProtectedHeader({ alg: 'RS384' })
    .setIssuedAt()
    .setExpirationTime('1h')
    .sign(privateKey)
}
Node.js — Verify (jose library)
import { jwtVerify, importSPKI } from 'jose'

const publicKey = await importSPKI(process.env.RSA_PUBLIC_KEY!, 'RS384')

export async function verifyToken(token: string) {
  const { payload } = await jwtVerify(token, publicKey, { algorithms: ['RS384'] })
  return payload
}
Python — PyJWT
import jwt
from cryptography.hazmat.primitives import serialization

with open("private.pem", "rb") as f:
    private_key = serialization.load_pem_private_key(f.read(), password=None)
with open("public.pem", "rb") as f:
    public_key = serialization.load_pem_public_key(f.read())

token = jwt.encode({"sub": "1234"}, private_key, algorithm="RS384")
payload = jwt.decode(token, public_key, algorithms=["RS384"])

When to Use RS384

Compliance environments that require SHA-384 hashing. RS256 and RS512 see far broader adoption; most identity providers default to RS256. Use RS384 only when explicitly required by policy.

Security Considerations

Same PKCS#1 v1.5 padding concern as RS256. For new systems, prefer PS384 (RSA-PSS with SHA-384) which eliminates the Bleichenbacher attack surface.

Related Algorithms

Standardised in RFC 7518 §3.3 — JSON Web Algorithms (JWA).

Decode a real JWT

Paste any JWT into the debugger to inspect the header, payload, and verify an RS384 signature.

Open JWT Debugger

Frequently Asked Questions

Can the same RSA key pair be used for both RS256 and PS256?

Yes. RS256 and PS256 use the same RSA key format (PKCS#8 PEM for private keys, SPKI PEM for public keys). The difference is in the padding scheme applied during signing — PKCS#1 v1.5 for RS256, PSS for PS256. You can reuse existing RSA keys when migrating from RS256 to PS256.

What minimum key size should I use for RSA JWT signing?

2048-bit RSA minimum. 3072-bit is recommended for new systems as it provides a higher security margin at modest performance cost. 4096-bit if using RS512 or PS512 to match the SHA-512 security level. RSA-1024 is insecure and rejected by modern JWT libraries.

How do I expose my public key for token verification?

Publish your public key as a JWKS (JSON Web Key Set) at a well-known URL, typically /.well-known/jwks.json. Clients use createRemoteJWKSet() (jose library) or similar to fetch and cache the public keys, automatically handling key rotation.