Bird
Raised Fist0
Microservicessystem_design~10 mins

JWT token propagation in Microservices - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepArchPracticeChallengeDesignRecallScale

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to extract the JWT token from the HTTP Authorization header.

Microservices
auth_header = request.headers.get('Authorization')
token = auth_header.split(' ')[[1]]
Drag options to blanks, or click blank then click option'
A1
B2
C0
D-1
Attempts:
3 left
💡 Hint
Common Mistakes
Using index 0 returns 'Bearer' instead of the token.
Using -1 might work but is less clear.
2fill in blank
medium

Complete the code to add the JWT token to the outgoing HTTP request headers for propagation.

Microservices
headers = {}
headers['Authorization'] = 'Bearer ' + [1]
Drag options to blanks, or click blank then click option'
Aauth_token
Btoken
Caccess_token
Djwt_token
Attempts:
3 left
💡 Hint
Common Mistakes
Using undefined variable names like 'auth_token' or 'jwt_token' without declaration.
3fill in blank
hard

Fix the error in the code that forwards the JWT token in a microservice call.

Microservices
response = requests.get(url, headers=[1])
Drag options to blanks, or click blank then click option'
Aauth_header
BAuthorization
Cheader
Dheaders
Attempts:
3 left
💡 Hint
Common Mistakes
Passing a string instead of a dictionary causes runtime errors.
Using wrong variable names leads to NameError.
4fill in blank
hard

Fill both blanks to correctly extract and propagate the JWT token in a microservice environment.

Microservices
auth_header = request.headers.get('[1]')
token = auth_header.split(' ')[[2]]
Drag options to blanks, or click blank then click option'
AAuthorization
BAuthentication
C0
D1
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'Authentication' instead of 'Authorization' header.
Using index 0 returns the word 'Bearer' instead of the token.
5fill in blank
hard

Fill all three blanks to create a dictionary that propagates the JWT token only if it exists and is valid.

Microservices
if [1] and [2].startswith('Bearer '):
    headers = {'Authorization': [3]
else:
    headers = {}
Drag options to blanks, or click blank then click option'
Aauth_header
Dauth_header.split(' ')[1]
Attempts:
3 left
💡 Hint
Common Mistakes
Not checking if the header exists before accessing it.
Using the whole header string instead of just the token.

Practice

(1/5)
1. What is the main purpose of JWT token propagation in a microservices architecture?
easy
A. To encrypt all communication between microservices
B. To store user data permanently in each microservice
C. To securely share user identity information across multiple services
D. To replace API keys for service-to-service authentication

Solution

  1. Step 1: Understand JWT token role

    JWT tokens carry user identity and claims securely in a compact form.

  2. Step 2: Identify propagation purpose

    Propagating JWT tokens allows each microservice to verify and trust the user's identity without storing it locally.

  3. Final Answer:

    To securely share user identity information across multiple services -> Option C

  4. Quick Check:

    JWT propagation = share identity securely [OK]
Hint: JWT tokens carry user identity for trust across services [OK]
Common Mistakes:
  • Confusing JWT propagation with data storage
  • Thinking JWT encrypts all communication
  • Assuming JWT replaces all authentication methods
2. Which HTTP header is commonly used to forward the JWT token between microservices?
easy
A. Authorization
B. X-Auth-Token
C. Cookie
D. Content-Type

Solution

  1. Step 1: Identify standard header for tokens

    The Authorization header is the standard way to send bearer tokens like JWT in HTTP requests.

  2. Step 2: Confirm other headers' roles

    X-Auth-Token is less standard, Cookie is for browser sessions, Content-Type defines data format.

  3. Final Answer:

    Authorization -> Option A

  4. Quick Check:

    JWT token sent in Authorization header [OK]
Hint: JWT tokens go in Authorization header as Bearer [OK]
Common Mistakes:
  • Using Cookie header for token forwarding
  • Confusing Content-Type with authentication headers
  • Assuming custom headers like X-Auth-Token are standard
3. Consider this code snippet in a microservice forwarding a JWT token: 
fetch('http://serviceB/api', {
  headers: { 'Authorization': req.headers['authorization'] }
})
What will happen if the original request has no Authorization header?
medium
A. The Authorization header is set to an empty string
B. Service B receives an Authorization header with value 'undefined'
C. The fetch call throws an error and fails
D. Service B receives the request without any Authorization header

Solution

  1. Step 1: Check header forwarding code

    The code forwards req.headers['authorization'] directly as the Authorization header value.

  2. Step 2: Understand missing header behavior

    If req.headers['authorization'] is undefined, the header is omitted in fetch, so Service B gets no Authorization header.

  3. Final Answer:

    Service B receives the request without any Authorization header -> Option D

  4. Quick Check:

    Missing header means no Authorization sent [OK]
Hint: Undefined header means no header sent, not 'undefined' string [OK]
Common Mistakes:
  • Assuming 'undefined' string is sent as header value
  • Expecting fetch to throw error on missing header
  • Thinking header is set to empty string automatically
4. A microservice fails to verify JWT tokens from upstream services. Which of these is the most likely cause?
medium
A. The microservice does not forward the Authorization header
B. The microservice uses a different secret or public key to verify tokens
C. The microservice sends tokens in the request body instead of headers
D. The microservice caches tokens for too long

Solution

  1. Step 1: Analyze verification failure causes

    Verification fails if the microservice uses a wrong secret or public key to check the JWT signature.

  2. Step 2: Evaluate other options

    Not forwarding headers causes downstream issues, sending tokens in body is non-standard but not verification failure, caching affects freshness but not signature verification.

  3. Final Answer:

    The microservice uses a different secret or public key to verify tokens -> Option B

  4. Quick Check:

    Wrong key = verification fails [OK]
Hint: Verification needs matching secret/public key [OK]
Common Mistakes:
  • Confusing forwarding issues with verification errors
  • Assuming token location affects signature verification
  • Ignoring key mismatch as cause of failure
5. In a microservices system, Service A receives a JWT token from a user and calls Service B, which calls Service C. To ensure secure JWT token propagation and verification, which design is best?
hard
A. Service A sends the JWT to Service B, which forwards the same JWT to Service C; each service verifies the token locally
B. Service A sends the JWT to Service B; Service B generates a new token for Service C with its own secret
C. Service A sends the JWT only to Service B; Service B calls Service C without any token
D. Service A sends the JWT to Service B; Service B stores the token and Service C fetches it from Service B when needed

Solution

  1. Step 1: Understand token propagation best practice

    JWT tokens should be forwarded unchanged so each service can verify the original user identity and claims.

  2. Step 2: Evaluate alternatives

    Generating new tokens breaks trust chain; skipping tokens breaks authentication; fetching tokens from another service adds complexity and risk.

  3. Final Answer:

    Service A sends the JWT to Service B, which forwards the same JWT to Service C; each service verifies the token locally -> Option A

  4. Quick Check:

    Forward original JWT for trust and verification [OK]
Hint: Forward original JWT unchanged for trust across services [OK]
Common Mistakes:
  • Creating new tokens at intermediate services
  • Not forwarding tokens to all downstream services
  • Relying on token fetching instead of forwarding