RS384 JWT Algorithm
RS384 is the SHA-384 variant of RSA PKCS#1 JWT signing. Same asymmetric key-pair model as RS256 — private key to sign, public key to verify — with a 384-bit hash output. Chosen primarily when a security policy mandates SHA-384.
Key Requirements
RSA key pair of at least 2048 bits. RSA-3072 recommended for SHA-384-tier security to maintain consistent security levels across the hash and key.
JWT Header
Every JWT using RS384 has this header (base64url-encoded as the first segment):
{
"alg": "RS384",
"typ": "JWT"
}Code Examples
Node.js — Sign (jose library)
import { SignJWT, importPKCS8 } from 'jose'
const privateKey = await importPKCS8(process.env.RSA_PRIVATE_KEY!, 'RS384')
export async function signToken(payload: Record<string, unknown>) {
return new SignJWT(payload)
.setProtectedHeader({ alg: 'RS384' })
.setIssuedAt()
.setExpirationTime('1h')
.sign(privateKey)
}Node.js — Verify (jose library)
import { jwtVerify, importSPKI } from 'jose'
const publicKey = await importSPKI(process.env.RSA_PUBLIC_KEY!, 'RS384')
export async function verifyToken(token: string) {
const { payload } = await jwtVerify(token, publicKey, { algorithms: ['RS384'] })
return payload
}Python — PyJWT
import jwt
from cryptography.hazmat.primitives import serialization
with open("private.pem", "rb") as f:
private_key = serialization.load_pem_private_key(f.read(), password=None)
with open("public.pem", "rb") as f:
public_key = serialization.load_pem_public_key(f.read())
token = jwt.encode({"sub": "1234"}, private_key, algorithm="RS384")
payload = jwt.decode(token, public_key, algorithms=["RS384"])When to Use RS384
Compliance environments that require SHA-384 hashing. RS256 and RS512 see far broader adoption; most identity providers default to RS256. Use RS384 only when explicitly required by policy.
Security Considerations
Same PKCS#1 v1.5 padding concern as RS256. For new systems, prefer PS384 (RSA-PSS with SHA-384) which eliminates the Bleichenbacher attack surface.
Related Algorithms
Standardised in RFC 7518 §3.3 — JSON Web Algorithms (JWA).
Decode a real JWT
Paste any JWT into the debugger to inspect the header, payload, and verify an RS384 signature.
Open JWT DebuggerFrequently Asked Questions
Can the same RSA key pair be used for both RS256 and PS256?
Yes. RS256 and PS256 use the same RSA key format (PKCS#8 PEM for private keys, SPKI PEM for public keys). The difference is in the padding scheme applied during signing — PKCS#1 v1.5 for RS256, PSS for PS256. You can reuse existing RSA keys when migrating from RS256 to PS256.
What minimum key size should I use for RSA JWT signing?
2048-bit RSA minimum. 3072-bit is recommended for new systems as it provides a higher security margin at modest performance cost. 4096-bit if using RS512 or PS512 to match the SHA-512 security level. RSA-1024 is insecure and rejected by modern JWT libraries.
How do I expose my public key for token verification?
Publish your public key as a JWKS (JSON Web Key Set) at a well-known URL, typically /.well-known/jwks.json. Clients use createRemoteJWKSet() (jose library) or similar to fetch and cache the public keys, automatically handling key rotation.
