Post-Quantum JWTs: Securing OAuth in 2026

The cryptographic community has been warning us for years: the quantum threat is coming. In 2026, we are finally seeing the commercial reality of "Harvest Now, Decrypt Later" strategies by malicious actors.

Standard RSA and Elliptic Curve signatures (like ES256) are vulnerable to Shor's algorithm. To protect our users' sessions, we must migrate to Post-Quantum Cryptography (PQC).

The NIST Standards

After years of competition, NIST has standardized several algorithms. For JWTs, we primarily care about:

• ML-KEM (Crystals-Kyber): For key encapsulation.
• ML-DSA (Crystals-Dilithium): For digital signatures.

Implementing Dilithium-based JWTs

Most modern JWT libraries (like Jose or Auth.js) have added support for PQC algorithms in late 2025.

javascript
import { SignJWT, importJWK } from 'jose';

// Using ML-DSA (Dilithium)
const privateKey = await importJWK(pqcPrivateKey, 'ML-DSA-65');

const jwt = await new SignJWT({ 'urn:example:claim': true })
  .setProtectedHeader({ alg: 'ML-DSA-65' })
  .setIssuedAt()
  .setExpirationTime('2h')
  .sign(privateKey);

Challenges: Payload Size

One catch with PQC is the signature size. While an ECDSA signature is ~64 bytes, a Dilithium signature can be over 2,400 bytes. This means your JWTs will be significantly larger, impacting cookie limits and bandwidth.

Strategy: Hybrid Signatures

For the transition period in 2026, we recommend Hybrid Signatures. Each token is signed with BOTH a classic algorithm (like EdDSA) and a PQC algorithm (like Dilithium). This ensures compatibility with legacy systems while providing quantum-grade protection.

Conclusion

Quantum computing might still be a few years from cracking prod keys, but the data you send today is being recorded. Post-Quantum JWTs are a necessary step in the evolution of web security.