Requirements for cryptography

The followng algorithms are supported for signing Json Web Tokens (JWT) for

  • Client assertions (private_key_jwt)
  • Request objects
  • DPoP proofs
JSON Web Algorithm Signature algorithm family Hashing algorithm
RS256 RSASSA-PKCS1-v1_5 SHA-256
RS384 RSASSA-PKCS1-v1_5 SHA-384
RS512 RSASSA-PKCS1-v1_5 SHA-512
ES256 ECDSA SHA-256
ES384 ECDSA SHA-384
ES512 ECDSA SHA-512
PS256 RSASSA-PSS SHA-256
PS384 RSASSA-PSS SHA-384
PS512 RSASSA-PSS SHA-512

The recommended choice is either PS256, or PS512.

RSA keys must have a minimum bit length of 2048.

Elliptic curve keys must have a minimum bit length of 160.