The advantage of RS256 over HS256 is RS256 no longer need to share the secret key between client and server side.
To create a token, we need to private key, which should be kept safe. We can use third-party server such as Auth0 to generate private-public key paris.
The public key is used only to validate JWT token on the server, and cannot use public key to create a JWT token, so even the server is hacked, hacker still cannot use the information create a token to access the data.
Create a token:
var jwt = require('jsonwebtoken'); var fs = require('fs'); var privateKey = fs.readFileSync('./demos/private.key'); var payload = { name: 'Alice' }; var token = jwt.sign(payload, privateKey, { algorithm: 'RS256', expiresIn: 120, subject: "1" }); console.log('RSA 256 JWT', token);
Validate a token:
var jwt = require('jsonwebtoken'); var fs = require('fs'); // verify an existing JWT var existingToken = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiQWxpY2UiLCJpYXQiOjE1MDI5MDMxNTcsImV4cCI6MTUwMjkwMzI3Nywic3ViIjoiMSJ9.KQJ-f3r4TNCLVrox1JaL5pxQAM6vSw4CNKj1lCf3HDWXGdIHW5rgD5odKpNBjrkbl1smjEL_ClLnFwG_iGDPKvu2bqktcrbXwi1-XUrY-jDKLkpoEHL2C9tGYnyDRl6Pg1SP97Hl-VWkGNyekYMerL8vh0RwgcK7y8UsuA33WgnP1DtfhKIghwcd493ARN4nBvmMJ11Zk35c7FBIN2w4Xl4ny8RU4l0_xy5DBF3JAKV1jilTHOKEvsrY8Ry3qRKaxxR6-QE_pfGOte3BRlt6544BUul1yI662tVAn1R28KXKnwCGAwo_HZ1kC-OrxmsjoXI4HDuHG2k5eRX-QC_W4Q'; var publicKey = fs.readFileSync('./demos/public.key'); console.log("verifying"); const verify = jwt.verify(existingToken, publicKey); console.log("Decoded JWT:", verify);