0
0
Rest APIprogramming~10 mins

JWT structure and flow in Rest API - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - JWT structure and flow
Client sends login request
Server verifies credentials
Server creates JWT
Server sends JWT to client
Client stores JWT
Client sends JWT with API requests
Server verifies JWT
Allow access
This flow shows how a client logs in, receives a JWT, stores it, and uses it for authenticated requests, while the server verifies the token each time.
Execution Sample
Rest API
header = {"alg": "HS256", "typ": "JWT"}
payload = {"user_id": 123, "exp": 1680000000}
token = encode(header, payload, secret)
// Client sends token with requests
// Server decodes and verifies token
This code creates a JWT token with header and payload, then encodes it with a secret key.
Execution Table
StepActionData InvolvedResult/Output
1Client sends login requestUsername, PasswordRequest received by server
2Server verifies credentialsUsername, PasswordCredentials valid? Yes
3Server creates JWTHeader, Payload, SecretJWT token generated
4Server sends JWT to clientJWT tokenClient receives token
5Client stores JWTJWT tokenToken saved locally
6Client sends JWT with API requestJWT token in Authorization headerRequest sent to server
7Server verifies JWTJWT token, SecretToken valid? Yes
8Server allows accessValid tokenRequested data sent
9Client sends JWT with API requestJWT token in Authorization headerRequest sent to server
10Server verifies JWTJWT token, SecretToken valid? No (expired or tampered)
11Server rejects requestInvalid tokenAccess denied response sent
💡 Execution stops when server rejects invalid or expired JWT token.
Variable Tracker
VariableStartAfter Step 3After Step 4After Step 5After Step 6After Step 7After Step 10
header{"alg": "HS256", "typ": "JWT"}{"alg": "HS256", "typ": "JWT"}{"alg": "HS256", "typ": "JWT"}{"alg": "HS256", "typ": "JWT"}{"alg": "HS256", "typ": "JWT"}{"alg": "HS256", "typ": "JWT"}{"alg": "HS256", "typ": "JWT"}
payload{"user_id": 123, "exp": 1680000000}{"user_id": 123, "exp": 1680000000}{"user_id": 123, "exp": 1680000000}{"user_id": 123, "exp": 1680000000}{"user_id": 123, "exp": 1680000000}{"user_id": 123, "exp": 1680000000}{"user_id": 123, "exp": 1680000000}
tokennulleyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsImV4cCI6MTY4MDAwMDAwMH0.signatureeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsImV4cCI6MTY4MDAwMDAwMH0.signatureeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsImV4cCI6MTY4MDAwMDAwMH0.signatureeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsImV4cCI6MTY4MDAwMDAwMH0.signatureeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsImV4cCI6MTY4MDAwMDAwMH0.signatureeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsImV4cCI6MTY4MDAwMDAwMH0.signature
Key Moments - 3 Insights
Why does the server reject a request even if the client sends a token?
Because the token might be expired or tampered with, as shown in execution_table step 10 where the server finds the token invalid and rejects the request in step 11.
What is inside the JWT token that allows the server to verify it?
The JWT contains a header and payload signed with a secret. The server uses the secret to verify the signature, as shown in step 3 and step 7 of the execution_table.
Does the client need to send username and password with every request?
No, after login the client sends only the JWT token with requests, as shown in steps 6 and 9, so the server can verify the token without needing credentials again.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step does the server create the JWT token?
AStep 3
BStep 5
CStep 2
DStep 7
💡 Hint
Check the 'Action' column in execution_table for the step where 'Server creates JWT' happens.
According to variable_tracker, what is the value of 'token' after Step 5?
Anull
BHeader and payload only
CEncoded JWT string
DSecret key
💡 Hint
Look at the 'token' row under 'After Step 5' column in variable_tracker.
At which step does the server reject the request due to an invalid token?
AStep 8
BStep 11
CStep 10
DStep 9
💡 Hint
Check execution_table for the step where 'Server rejects request' is the result.
Concept Snapshot
JWT Structure and Flow:
- Client logs in with credentials
- Server verifies and creates JWT (header.payload.signature)
- Client stores and sends JWT with requests
- Server verifies JWT signature and expiry
- Valid token grants access; invalid token denies
- JWT allows stateless, secure API authentication
Full Transcript
This visual execution shows how JWT works in a REST API. First, the client sends login info. The server checks it. If correct, the server creates a JWT token with header and payload signed by a secret. The server sends this token to the client. The client saves it and sends it with future requests. The server checks the token each time. If the token is valid, the server allows access. If the token is invalid or expired, the server rejects the request. Variables like header, payload, and token change as the process goes. Key moments include understanding why tokens can be rejected, what is inside a JWT, and that credentials are not sent every time. The quizzes test your understanding of these steps and variable states.