Check your JWT signing algorithm for quantum risk
Many APIs sign JSON Web Tokens with RSA or ECDSA (RS256, ES256, EdDSA) — all quantum-vulnerable public-key signatures. Paste a token to identify its algorithm and risk level. Only the header is decoded; no keys required.
- Detects RS256/384/512, PS256/384/512, ES256/384/512, EdDSA, HS256
- Runs entirely in your browser — nothing is uploaded
- Explains symmetric vs public-key risk categories
- Gives migration notes for each algorithm
Why JWT signing algorithms matter
If your tokens are signed with a quantum-vulnerable public-key algorithm, a future quantum adversary could forge tokens. JWT migration depends on your library and verifier ecosystem, so inventory comes first.
Paste a JWT to check its algorithm
Runs entirely in your browser. No secret/private key needed.
Disclaimer: Symmetric HMAC algorithms (HS256/384/512) are a different risk category from public-key signatures. They are not broken by Shor’s algorithm; their practical concern is key distribution. Public-key signatures (RS*, PS*, ES*, EdDSA) are the quantum-vulnerable ones.
Algorithms that need a migration plan
| RSA | Integer factorisation — broken by Shor's algorithm. |
| ECDSA | Elliptic-curve discrete log — broken by Shor's algorithm. |
| DH | Finite-field Diffie-Hellman — quantum-vulnerable key exchange. |
| ECDH | Elliptic-curve Diffie-Hellman — quantum-vulnerable key exchange. |
| X25519 | Modern ECDH curve, still classical and quantum-vulnerable. |
| Ed25519 | Modern EdDSA signature, still classical and quantum-vulnerable. |
| RS256 | JWT RSA-SHA256 signature — quantum-vulnerable public-key signature. |
| ES256 | JWT ECDSA-P256 signature — quantum-vulnerable public-key signature. |
NIST-standardised replacements
| ML-KEM (FIPS 203) | Key encapsulation / key exchange (formerly Kyber). |
| ML-DSA (FIPS 204) | Digital signatures (formerly Dilithium). |
| SLH-DSA (FIPS 205) | Stateless hash-based signatures (formerly SPHINCS+). |
PostQ detects where quantum-vulnerable algorithms are used and reports them. We don’t claim a target algorithm is supported in your stack unless detection confirms it.
Frequently asked questions
Is RS256 quantum vulnerable?
Yes. RS256 is an RSA signature (RSASSA-PKCS1-v1_5 with SHA-256). RSA is broken by Shor's algorithm on a quantum computer, so RS256 is a quantum-vulnerable public-key signature.
Is ES256 quantum vulnerable?
Yes. ES256 is ECDSA over P-256, which relies on the elliptic-curve discrete log problem and is broken by Shor's algorithm. EdDSA is similarly vulnerable.
Is HS256 quantum safe?
HS256 is HMAC-SHA256, a symmetric MAC — a different risk category from public-key signatures. It is not broken by Shor's algorithm; Grover's algorithm only weakens it modestly, mitigated by adequate key length. Its practical concern is secure key distribution.
Does the checker need my signing key?
No. It decodes only the JWT header (the first segment) to read the `alg` field. The payload, signature, and any secret or private key are never required or inspected, and nothing leaves your browser.
Run a free PQC readiness scan
Scan any public domain for quantum-vulnerable TLS, certificate, and key-exchange cryptography. No signup required.
No signup required for the basic TLS scan. We only inspect public metadata.