Bird
Raised Fist0
Rest APIprogramming~20 mins

JWT structure and flow in Rest API - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
JWT Mastery Badge
Get all challenges correct to earn this badge!
Test your skills under time pressure!
Predict Output
intermediate
1:30remaining
What is the output of decoding the JWT payload?

Given this JWT token payload encoded in Base64Url:

eyJ1c2VyX2lkIjogMTIzLCJyb2xlIjogImFkbWluIn0

What is the decoded JSON payload?

A{"user_id": "123", "role": "admin"}
B{"user_id": 123, "role": "user"}
C{"userid": 123, "role": "admin"}
D{"user_id": 123, "role": "admin"}
Attempts:
2 left
💡 Hint

Base64Url decoding converts the string back to JSON. Pay attention to key names and value types.

🧠 Conceptual
intermediate
1:00remaining
Which step in JWT flow verifies the token's integrity?

In the JWT authentication flow, which step ensures the token has not been tampered with?

AServer verifies the token signature using the secret key
BClient stores the token in local storage
CServer decodes the token payload to read user info
DClient sends the token in the Authorization header
Attempts:
2 left
💡 Hint

Think about how the server knows the token is authentic and unchanged.

🔧 Debug
advanced
2:00remaining
Why does this JWT verification code fail?

Consider this Python code snippet verifying a JWT token:

import jwt

token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.invalidsignature'
secret = 'mysecret'

try:
    payload = jwt.decode(token, secret, algorithms=['HS256'])
    print('Valid token')
except jwt.InvalidSignatureError:
    print('Invalid signature')
except Exception as e:
    print('Error:', e)

What is the output when running this code?

AError: Not enough segments
BValid token
CInvalid signature
DError: Decode error
Attempts:
2 left
💡 Hint

The token's signature part is clearly invalid. What exception does the library raise?

📝 Syntax
advanced
1:30remaining
Which code correctly creates a JWT token with payload and secret?

Choose the correct Python code snippet that creates a JWT token with payload {"user": "alice"} and secret "key123" using HS256 algorithm.

Ajwt.encode({"user": "alice"}, "key123", algorithm="HS256")
Bjwt.encode("user=alice", "key123", algorithm="HS256")
Cjwt.encode({user: "alice"}, "key123", algorithm="HS256")
Djwt.encode({"user": "alice"}, key="key123", algo="HS256")
Attempts:
2 left
💡 Hint

Check the function signature and argument names carefully.

🚀 Application
expert
1:30remaining
How many items are in the JWT payload after decoding this token?

Given this JWT token (header.payload.signature):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYm9iIiwiaWQiOjQ1LCJleHAiOjE2ODk0MjAwMDB9.somesignature

After decoding the payload, how many key-value pairs does it contain?

A2
B3
C4
D1
Attempts:
2 left
💡 Hint

Decode the payload part and count the keys.

Practice

(1/5)
1. What are the three main parts of a JWT (JSON Web Token)?
easy
A. Header, Payload, Signature
B. Username, Password, Token
C. Request, Response, Token
D. Key, Value, Token

Solution

  1. Step 1: Understand JWT structure basics

    A JWT is made of three parts separated by dots.

  2. Step 2: Identify the parts

    The three parts are Header (metadata), Payload (claims), and Signature (verification).

  3. Final Answer:

    Header, Payload, Signature -> Option A

  4. Quick Check:

    JWT parts = Header, Payload, Signature [OK]
Hint: Remember JWT has 3 parts separated by dots [OK]
Common Mistakes:
  • Confusing JWT parts with user credentials
  • Thinking JWT has only two parts
  • Mixing up token with request/response
2. Which of the following is the correct format of a JWT string?
easy
A. header|payload|signature
B. header-payload-signature
C. header.payload.signature
D. header_payload_signature

Solution

  1. Step 1: Recall JWT encoding format

    JWT parts are base64url encoded and joined by dots.

  2. Step 2: Identify correct separator

    The correct separator between parts is a dot ('.').

  3. Final Answer:

    header.payload.signature -> Option C

  4. Quick Check:

    JWT format uses dots '.' [OK]
Hint: JWT parts are joined by dots '.' [OK]
Common Mistakes:
  • Using dashes or underscores instead of dots
  • Confusing with other token formats
  • Not encoding parts properly
3. Given this JWT payload: {"sub":"1234567890","name":"John Doe","iat":1516239022}, what does the iat field represent?
medium
A. Issuer of the token
B. Issued at time
C. Expiration time
D. Subject identifier

Solution

  1. Step 1: Understand JWT standard claims

    Common claims include 'sub' (subject), 'iat' (issued at), 'exp' (expiration), and 'iss' (issuer).

  2. Step 2: Identify meaning of 'iat'

    'iat' stands for 'issued at' and marks the time the token was created.

  3. Final Answer:

    Issued at time -> Option B

  4. Quick Check:

    'iat' = issued at time [OK]
Hint: 'iat' means when token was issued [OK]
Common Mistakes:
  • Confusing 'iat' with expiration time
  • Mixing 'sub' and 'iss' claims
  • Assuming 'iat' is issuer
4. You receive a JWT but the signature verification fails. What is the most likely cause?
medium
A. The secret key used to sign the token is different
B. The token payload is empty
C. The header is missing
D. The token is not base64 encoded

Solution

  1. Step 1: Understand signature verification

    The signature is created using a secret key and the header and payload.

  2. Step 2: Identify cause of verification failure

    If the secret key used to verify differs from the signing key, verification fails.

  3. Final Answer:

    The secret key used to sign the token is different -> Option A

  4. Quick Check:

    Signature fails if secret keys differ [OK]
Hint: Signature fails if secret keys don't match [OK]
Common Mistakes:
  • Assuming empty payload causes signature failure
  • Thinking missing header always breaks signature
  • Confusing encoding with signature verification
5. In a REST API, after a user logs in, the server issues a JWT. Which step correctly describes the flow for authenticating future requests using this JWT?
hard
A. Client sends JWT in URL query; server ignores signature and trusts token
B. Client sends username and password with every request; server creates new JWT each time
C. Server stores JWT in database and checks it on each request
D. Client sends JWT in Authorization header; server verifies signature and extracts user info

Solution

  1. Step 1: Understand JWT usage in REST API

    After login, server issues JWT to client to prove identity without resending credentials.

  2. Step 2: Identify correct authentication flow

    Client sends JWT in Authorization header; server verifies signature and extracts user info to authenticate.

  3. Final Answer:

    Client sends JWT in Authorization header; server verifies signature and extracts user info -> Option D

  4. Quick Check:

    JWT sent in header and verified by server [OK]
Hint: JWT goes in Authorization header, server verifies signature [OK]
Common Mistakes:
  • Sending credentials every request instead of JWT
  • Storing JWT server-side defeats statelessness
  • Ignoring signature verification risks security