Bird
Raised Fist0
Rest APIprogramming~5 mins

JWT structure and flow in Rest API - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What are the three parts of a JWT (JSON Web Token)?
A JWT has three parts separated by dots: Header, Payload, and Signature.
Click to reveal answer
beginner
What information does the JWT Header contain?
The Header usually contains the token type (JWT) and the signing algorithm used, like HS256 or RS256.
Click to reveal answer
beginner
What is stored in the Payload of a JWT?
The Payload contains claims or data about the user and token, like user ID, expiration time, and roles.
Click to reveal answer
intermediate
What is the purpose of the Signature in a JWT?
The Signature ensures the token is not altered. It is created by signing the Header and Payload with a secret or private key.
Click to reveal answer
intermediate
Describe the typical flow of JWT in a REST API authentication.
1. User logs in and server creates a JWT.
2. Server sends JWT to user.
3. User sends JWT with each request.
4. Server verifies JWT signature and data.
5. If valid, server processes request; if not, rejects it.
Click to reveal answer
Which part of the JWT contains the user's data like user ID?
APayload
BHeader
CSignature
DSecret
What does the Signature in a JWT protect against?
AUser authentication
BToken expiration
CData tampering
DToken size
When does the server verify the JWT?
AWith each request containing the token
BWhen the token is created
CWhen the user logs in
DOnly once per session
What is the format of a JWT?
AJSON object
BBase64 encoded string with three parts separated by dots
CXML document
DPlain text string
Which algorithm might be specified in the JWT Header?
ASHA256
BMD5
CAES
DHS256
Explain the structure of a JWT and what each part does.
Think about how the token is built and why each part is important.
You got /6 concepts.
    Describe the flow of JWT in a REST API from login to request validation.
    Imagine how a user proves who they are using the token.
    You got /5 concepts.

      Practice

      (1/5)
      1. What are the three main parts of a JWT (JSON Web Token)?
      easy
      A. Header, Payload, Signature
      B. Username, Password, Token
      C. Request, Response, Token
      D. Key, Value, Token

      Solution

      1. Step 1: Understand JWT structure basics

        A JWT is made of three parts separated by dots.

      2. Step 2: Identify the parts

        The three parts are Header (metadata), Payload (claims), and Signature (verification).

      3. Final Answer:

        Header, Payload, Signature -> Option A

      4. Quick Check:

        JWT parts = Header, Payload, Signature [OK]
      Hint: Remember JWT has 3 parts separated by dots [OK]
      Common Mistakes:
      • Confusing JWT parts with user credentials
      • Thinking JWT has only two parts
      • Mixing up token with request/response
      2. Which of the following is the correct format of a JWT string?
      easy
      A. header|payload|signature
      B. header-payload-signature
      C. header.payload.signature
      D. header_payload_signature

      Solution

      1. Step 1: Recall JWT encoding format

        JWT parts are base64url encoded and joined by dots.

      2. Step 2: Identify correct separator

        The correct separator between parts is a dot ('.').

      3. Final Answer:

        header.payload.signature -> Option C

      4. Quick Check:

        JWT format uses dots '.' [OK]
      Hint: JWT parts are joined by dots '.' [OK]
      Common Mistakes:
      • Using dashes or underscores instead of dots
      • Confusing with other token formats
      • Not encoding parts properly
      3. Given this JWT payload: {"sub":"1234567890","name":"John Doe","iat":1516239022}, what does the iat field represent?
      medium
      A. Issuer of the token
      B. Issued at time
      C. Expiration time
      D. Subject identifier

      Solution

      1. Step 1: Understand JWT standard claims

        Common claims include 'sub' (subject), 'iat' (issued at), 'exp' (expiration), and 'iss' (issuer).

      2. Step 2: Identify meaning of 'iat'

        'iat' stands for 'issued at' and marks the time the token was created.

      3. Final Answer:

        Issued at time -> Option B

      4. Quick Check:

        'iat' = issued at time [OK]
      Hint: 'iat' means when token was issued [OK]
      Common Mistakes:
      • Confusing 'iat' with expiration time
      • Mixing 'sub' and 'iss' claims
      • Assuming 'iat' is issuer
      4. You receive a JWT but the signature verification fails. What is the most likely cause?
      medium
      A. The secret key used to sign the token is different
      B. The token payload is empty
      C. The header is missing
      D. The token is not base64 encoded

      Solution

      1. Step 1: Understand signature verification

        The signature is created using a secret key and the header and payload.

      2. Step 2: Identify cause of verification failure

        If the secret key used to verify differs from the signing key, verification fails.

      3. Final Answer:

        The secret key used to sign the token is different -> Option A

      4. Quick Check:

        Signature fails if secret keys differ [OK]
      Hint: Signature fails if secret keys don't match [OK]
      Common Mistakes:
      • Assuming empty payload causes signature failure
      • Thinking missing header always breaks signature
      • Confusing encoding with signature verification
      5. In a REST API, after a user logs in, the server issues a JWT. Which step correctly describes the flow for authenticating future requests using this JWT?
      hard
      A. Client sends JWT in URL query; server ignores signature and trusts token
      B. Client sends username and password with every request; server creates new JWT each time
      C. Server stores JWT in database and checks it on each request
      D. Client sends JWT in Authorization header; server verifies signature and extracts user info

      Solution

      1. Step 1: Understand JWT usage in REST API

        After login, server issues JWT to client to prove identity without resending credentials.

      2. Step 2: Identify correct authentication flow

        Client sends JWT in Authorization header; server verifies signature and extracts user info to authenticate.

      3. Final Answer:

        Client sends JWT in Authorization header; server verifies signature and extracts user info -> Option D

      4. Quick Check:

        JWT sent in header and verified by server [OK]
      Hint: JWT goes in Authorization header, server verifies signature [OK]
      Common Mistakes:
      • Sending credentials every request instead of JWT
      • Storing JWT server-side defeats statelessness
      • Ignoring signature verification risks security