Bird
Raised Fist0
Rest APIprogramming~10 mins

JWT structure and flow in Rest API - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to decode the JWT token header.

Rest API
import jwt

token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
header = jwt.get_unverified_header([1])
print(header)
Drag options to blanks, or click blank then click option'
Atoken
Bsignature
Csecret
Dpayload
Attempts:
3 left
💡 Hint
Common Mistakes
Passing only the payload or signature instead of the full token.
Using the secret key instead of the token.
2fill in blank
medium

Complete the code to verify and decode the JWT token payload using the secret key.

Rest API
import jwt

secret_key = 'mysecret'
token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
payload = jwt.decode(token, [1], algorithms=['HS256'])
print(payload)
Drag options to blanks, or click blank then click option'
Atoken
Bsecret_key
Cpayload
Dheader
Attempts:
3 left
💡 Hint
Common Mistakes
Passing the token itself instead of the secret key.
Passing the payload or header instead of the secret key.
3fill in blank
hard

Fix the error in the code to correctly create a JWT token with a payload and secret.

Rest API
import jwt

payload = {'user_id': 123}
secret = 'mysecret'
token = jwt.encode([1], secret, algorithm='HS256')
print(token)
Drag options to blanks, or click blank then click option'
Asecret
Btoken
Cpayload
Dalgorithm
Attempts:
3 left
💡 Hint
Common Mistakes
Passing the secret key as the first argument instead of the payload.
Passing the token variable which is not defined yet.
4fill in blank
hard

Fill both blanks to create a JWT token and then decode it correctly.

Rest API
import jwt

payload = {'role': 'admin'}
secret = 'topsecret'
token = jwt.encode([1], [2], algorithm='HS256')
decoded = jwt.decode(token, secret, algorithms=['HS256'])
print(decoded)
Drag options to blanks, or click blank then click option'
Apayload
Bsecret
Ctoken
Dalgorithm
Attempts:
3 left
💡 Hint
Common Mistakes
Swapping the order of payload and secret.
Using the token variable before it is created.
5fill in blank
hard

Fill all three blanks to create a JWT token with a payload, decode it, and extract the user ID.

Rest API
import jwt

payload = {'user_id': 42, 'exp': 1700000000}
secret = 'secret123'
token = jwt.encode([1], [2], algorithm='HS256')
decoded = jwt.decode(token, secret, algorithms=['HS256'])
user_id = decoded[[3]]
print(user_id)
Drag options to blanks, or click blank then click option'
Apayload
Bsecret
C'user_id'
D'exp'
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'exp' instead of 'user_id' to extract the user ID.
Swapping payload and secret in encode function.

Practice

(1/5)
1. What are the three main parts of a JWT (JSON Web Token)?
easy
A. Header, Payload, Signature
B. Username, Password, Token
C. Request, Response, Token
D. Key, Value, Token

Solution

  1. Step 1: Understand JWT structure basics

    A JWT is made of three parts separated by dots.

  2. Step 2: Identify the parts

    The three parts are Header (metadata), Payload (claims), and Signature (verification).

  3. Final Answer:

    Header, Payload, Signature -> Option A

  4. Quick Check:

    JWT parts = Header, Payload, Signature [OK]
Hint: Remember JWT has 3 parts separated by dots [OK]
Common Mistakes:
  • Confusing JWT parts with user credentials
  • Thinking JWT has only two parts
  • Mixing up token with request/response
2. Which of the following is the correct format of a JWT string?
easy
A. header|payload|signature
B. header-payload-signature
C. header.payload.signature
D. header_payload_signature

Solution

  1. Step 1: Recall JWT encoding format

    JWT parts are base64url encoded and joined by dots.

  2. Step 2: Identify correct separator

    The correct separator between parts is a dot ('.').

  3. Final Answer:

    header.payload.signature -> Option C

  4. Quick Check:

    JWT format uses dots '.' [OK]
Hint: JWT parts are joined by dots '.' [OK]
Common Mistakes:
  • Using dashes or underscores instead of dots
  • Confusing with other token formats
  • Not encoding parts properly
3. Given this JWT payload: {"sub":"1234567890","name":"John Doe","iat":1516239022}, what does the iat field represent?
medium
A. Issuer of the token
B. Issued at time
C. Expiration time
D. Subject identifier

Solution

  1. Step 1: Understand JWT standard claims

    Common claims include 'sub' (subject), 'iat' (issued at), 'exp' (expiration), and 'iss' (issuer).

  2. Step 2: Identify meaning of 'iat'

    'iat' stands for 'issued at' and marks the time the token was created.

  3. Final Answer:

    Issued at time -> Option B

  4. Quick Check:

    'iat' = issued at time [OK]
Hint: 'iat' means when token was issued [OK]
Common Mistakes:
  • Confusing 'iat' with expiration time
  • Mixing 'sub' and 'iss' claims
  • Assuming 'iat' is issuer
4. You receive a JWT but the signature verification fails. What is the most likely cause?
medium
A. The secret key used to sign the token is different
B. The token payload is empty
C. The header is missing
D. The token is not base64 encoded

Solution

  1. Step 1: Understand signature verification

    The signature is created using a secret key and the header and payload.

  2. Step 2: Identify cause of verification failure

    If the secret key used to verify differs from the signing key, verification fails.

  3. Final Answer:

    The secret key used to sign the token is different -> Option A

  4. Quick Check:

    Signature fails if secret keys differ [OK]
Hint: Signature fails if secret keys don't match [OK]
Common Mistakes:
  • Assuming empty payload causes signature failure
  • Thinking missing header always breaks signature
  • Confusing encoding with signature verification
5. In a REST API, after a user logs in, the server issues a JWT. Which step correctly describes the flow for authenticating future requests using this JWT?
hard
A. Client sends JWT in URL query; server ignores signature and trusts token
B. Client sends username and password with every request; server creates new JWT each time
C. Server stores JWT in database and checks it on each request
D. Client sends JWT in Authorization header; server verifies signature and extracts user info

Solution

  1. Step 1: Understand JWT usage in REST API

    After login, server issues JWT to client to prove identity without resending credentials.

  2. Step 2: Identify correct authentication flow

    Client sends JWT in Authorization header; server verifies signature and extracts user info to authenticate.

  3. Final Answer:

    Client sends JWT in Authorization header; server verifies signature and extracts user info -> Option D

  4. Quick Check:

    JWT sent in header and verified by server [OK]
Hint: JWT goes in Authorization header, server verifies signature [OK]
Common Mistakes:
  • Sending credentials every request instead of JWT
  • Storing JWT server-side defeats statelessness
  • Ignoring signature verification risks security