From 3951155cf3bddea1cd4b7b1d3958870be3136939 Mon Sep 17 00:00:00 2001 From: Marcelo Soares Date: Mon, 18 May 2026 22:03:34 -0300 Subject: [PATCH 1/2] feat: Document the support of HMAC SHA-256 JWT signing algorithm --- docs/06-concepts/11-authentication/01-setup.md | 2 +- .../05-token-managers/02-jwt-token-manager.md | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/06-concepts/11-authentication/01-setup.md b/docs/06-concepts/11-authentication/01-setup.md index 2198def1..36ea4dfc 100644 --- a/docs/06-concepts/11-authentication/01-setup.md +++ b/docs/06-concepts/11-authentication/01-setup.md @@ -47,7 +47,7 @@ void run(List args) async { JwtConfig( // Pepper used to hash the refresh token secret. refreshTokenHashPepper: pod.getPassword('jwtRefreshTokenHashPepper')!, - // Algorithm used to sign the tokens (`hmacSha512` or `ecdsaSha512`). + // Algorithm used to sign the tokens (`hmacSha512`, `hmacSha256` or `ecdsaSha512`). algorithm: JwtAlgorithm.hmacSha512( // Private key to sign the tokens. Must be a valid HMAC SHA-512 key. SecretKey(pod.getPassword('jwtHmacSha512PrivateKey')!), diff --git a/docs/06-concepts/11-authentication/05-token-managers/02-jwt-token-manager.md b/docs/06-concepts/11-authentication/05-token-managers/02-jwt-token-manager.md index 2ef2a22e..3959ea30 100644 --- a/docs/06-concepts/11-authentication/05-token-managers/02-jwt-token-manager.md +++ b/docs/06-concepts/11-authentication/05-token-managers/02-jwt-token-manager.md @@ -57,7 +57,7 @@ Finally, run `serverpod generate` to generate the client code and expose the end #### Token Algorithms -There are two supported token algorithms: +There are three supported token algorithms: - **HMAC SHA-512**: Use HMAC SHA-512 for symmetric key signing. @@ -67,6 +67,14 @@ There are two supported token algorithms: ), ``` +- **HMAC SHA-256**: Use HMAC SHA-256 for symmetric key signing. + + ```dart + algorithm: JwtAlgorithm.hmacSha256( + SecretKey(pod.getPassword('authenticationTokenPrivateKey')!), + ), + ``` + - **ECDSA SHA-512**: Use ECDSA SHA-512 for asymmetric key signing. ```dart From 2ba2ceecb888312e0ddcc2d4118f0b9dd90154fd Mon Sep 17 00:00:00 2001 From: Marcelo Soares Date: Tue, 2 Jun 2026 18:09:28 -0300 Subject: [PATCH 2/2] fix: Fix missing references for the HMAC SHA-256 --- .../05-token-managers/02-jwt-token-manager.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/06-concepts/11-authentication/05-token-managers/02-jwt-token-manager.md b/docs/06-concepts/11-authentication/05-token-managers/02-jwt-token-manager.md index 3959ea30..61dd58e6 100644 --- a/docs/06-concepts/11-authentication/05-token-managers/02-jwt-token-manager.md +++ b/docs/06-concepts/11-authentication/05-token-managers/02-jwt-token-manager.md @@ -52,7 +52,7 @@ Finally, run `serverpod generate` to generate the client code and expose the end ### Basic configuration options -- `algorithm`: Required. The algorithm to use for signing tokens (HMAC SHA-512 or ECDSA SHA-512). +- `algorithm`: Required. The algorithm to use for signing tokens (HMAC SHA-512, HMAC SHA-256 or ECDSA SHA-512). - `refreshTokenHashPepper`: Required. A secret pepper for hashing refresh tokens. Must be at least 10 characters long, but [the recommended length is 32 bytes](https://www.ietf.org/archive/id/draft-ietf-kitten-password-storage-04.html#name-storage-2). #### Token Algorithms @@ -84,7 +84,7 @@ There are three supported token algorithms: ), ``` -As of now, the `JwtConfigFromPasswords` only supports HMAC SHA-512. To use ECDSA SHA-512, you need to pass the private and public keys manually. +As of now, the `JwtConfigFromPasswords` only supports HMAC SHA-512 and HMAC SHA-256. To use ECDSA SHA-512, you need to pass the private and public keys manually. ### Extra configuration options