RS512 JWT Algorithm
RS512 uses SHA-512 with RSA PKCS#1 signing — the strongest of the RSA-family JWT algorithms. Suitable for long-lived tokens or environments where maximum asymmetric signature strength is a compliance requirement.
Key Requirements
RSA key pair of at least 4096 bits recommended to match SHA-512 security level. RSA-2048 is accepted but creates a security level mismatch with SHA-512.
JWT Header
Every JWT using RS512 has this header (base64url-encoded as the first segment):
{
"alg": "RS512",
"typ": "JWT"
}Code Examples
Node.js — Sign (jose library)
import { SignJWT, importPKCS8 } from 'jose'
const privateKey = await importPKCS8(process.env.RSA_PRIVATE_KEY!, 'RS512')
export async function signToken(payload: Record<string, unknown>) {
return new SignJWT(payload)
.setProtectedHeader({ alg: 'RS512' })
.setIssuedAt()
.setExpirationTime('1h')
.sign(privateKey)
}Node.js — Verify (jose library)
import { jwtVerify, importSPKI } from 'jose'
const publicKey = await importSPKI(process.env.RSA_PUBLIC_KEY!, 'RS512')
export async function verifyToken(token: string) {
const { payload } = await jwtVerify(token, publicKey, { algorithms: ['RS512'] })
return payload
}Python — PyJWT
import jwt
from cryptography.hazmat.primitives import serialization
with open("private.pem", "rb") as f:
private_key = serialization.load_pem_private_key(f.read(), password=None)
with open("public.pem", "rb") as f:
public_key = serialization.load_pem_public_key(f.read())
token = jwt.encode({"sub": "1234"}, private_key, algorithm="RS512")
payload = jwt.decode(token, public_key, algorithms=["RS512"])When to Use RS512
High-security and FIPS-compliance environments requiring maximum RSA strength. For typical API authentication, RS256 or ES256 provides adequate security with better performance.
Security Considerations
PKCS#1 v1.5 padding concern applies — PS512 (RSA-PSS with SHA-512) is preferred for new high-security systems. RSA-4096 key generation is slow (10–60 s) but only done once.
Related Algorithms
Standardised in RFC 7518 §3.3 — JSON Web Algorithms (JWA).
Decode a real JWT
Paste any JWT into the debugger to inspect the header, payload, and verify an RS512 signature.
Open JWT DebuggerFrequently Asked Questions
Can the same RSA key pair be used for both RS256 and PS256?
Yes. RS256 and PS256 use the same RSA key format (PKCS#8 PEM for private keys, SPKI PEM for public keys). The difference is in the padding scheme applied during signing — PKCS#1 v1.5 for RS256, PSS for PS256. You can reuse existing RSA keys when migrating from RS256 to PS256.
What minimum key size should I use for RSA JWT signing?
2048-bit RSA minimum. 3072-bit is recommended for new systems as it provides a higher security margin at modest performance cost. 4096-bit if using RS512 or PS512 to match the SHA-512 security level. RSA-1024 is insecure and rejected by modern JWT libraries.
How do I expose my public key for token verification?
Publish your public key as a JWKS (JSON Web Key Set) at a well-known URL, typically /.well-known/jwks.json. Clients use createRemoteJWKSet() (jose library) or similar to fetch and cache the public keys, automatically handling key rotation.
