> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes signing algorithms and recommendations for configuring them in the Auth0 Dashboard.

# Signing Algorithms

<Tooltip tip="Signing Algorithm: Algorithm used to digitally sign tokens to ensure the token has not been tampered with." cta="View Glossary" href="/docs/glossary?term=Signing+algorithms">Signing algorithms</Tooltip> are algorithms used to sign tokens issued for your application or API. A signature is part of a [JSON Web Token (JWT)](/docs/secure/tokens/json-web-tokens) and is used to verify that the sender of the token is who it says it is and to ensure that the message wasn't changed along the way.

You can select from the following signing algorithms:

* **RS256 (RSA Signature with SHA-256)**: An asymmetric algorithm, which means that there are two keys: one public key and one private key that must be kept secret. Auth0 has the private key used to generate the signature, and the consumer of the <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> retrieves a public key from the metadata endpoints provided by Auth0 and uses it to validate the JWT signature.
* **HS256 (HMAC with SHA-256)**: A symmetric algorithm, which means that there is only one private key that must be kept secret, and it is shared between the two parties. Since the same key is used both to generate the signature and to validate it, care must be taken to ensure that the key is not compromised. This private key (or secret) is created when you register your application (<Tooltip tip="Client Secret: Secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable." cta="View Glossary" href="/docs/glossary?term=client+secret">client secret</Tooltip>) or API (signing secret) and choose the HS256 signing algorithm.
* **PS256 (RSA Signature with SHA-256)**: An asymmetric algorithm, which means that there are two keys: one public key and one private key that must be kept secret. Auth0 has the private key used to generate the signature, and the consumer of the JWT retrieves a public key from the metadata endpoints provided by Auth0 and uses it to validate the JWT signature. Unlike RS256, the same JWT header and payload will generate a different signature each time.

The most secure practice, and our recommendation, is to use RS256 because:

* With RS256, you are sure that only the holder of the private key (Auth0) can sign tokens, while anyone can check if the token is valid using the public key.
* With RS256, if the private key is compromised, you can implement key rotation without having to re-deploy your application or API with the new secret (which you would have to do if using HS256).

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  If you are configuring Private Key JWT Authentication with an Okta or OpenID Connect (OIDC) enterprise connection, you may have to choose [additional signing algorithms](/docs/authenticate/enterprise-connections/private-key-jwt-client-auth#configure-private-key-jwt-client-authentication).
</Callout>

## Learn more

* [JSON Web Tokens](/docs/secure/tokens/json-web-tokens)
* [Change Application Signing Algorithms](/docs/get-started/applications/change-application-signing-algorithms)
* [Signing Keys](/docs/get-started/tenant-settings/signing-keys)
* [Rotate Signing Keys](/docs/get-started/tenant-settings/signing-keys/rotate-signing-keys)
* [Revoke Signing Keys](/docs/get-started/tenant-settings/signing-keys/revoke-signing-keys)
* [View Signing Certificates](/docs/get-started/tenant-settings/signing-keys/view-signing-certificates)