Performance: Authentication with JWT token
MEDIUM IMPACT
This affects page load speed by adding token validation steps during API calls and impacts interaction responsiveness when verifying tokens.
0Authentication with JWT token in Spring Boot - Performance & Optimization
Start learning this pattern below
Jump into concepts and practice - no test required
or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Validating user authentication on each API request
Spring Boot
public boolean validateToken(String token) {
// Decode token with lightweight parsing
Claims claims = Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
// Use cached user roles or embed roles in token to avoid DB call
return claims.getExpiration().after(new Date());
}Avoids database calls by embedding necessary info in the token and uses fast in-memory validation.
📈 Performance GainReduces request processing time by 40-80ms, improving INP and server throughput
Validating user authentication on each API request
Spring Boot
public boolean validateToken(String token) {
// Decode token without caching
Claims claims = Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
// Perform expensive DB call to verify user roles every request
User user = userRepository.findByUsername(claims.getSubject());
return user != null && user.hasValidRoles();
}Decoding and verifying the token plus querying the database on every request causes high latency and blocks request processing.
📉 Performance CostBlocks request handling for 50-100ms per API call, increasing INP and server load
Performance Comparison
| Pattern | DOM Operations | Reflows | Paint Cost | Verdict |
|---|---|---|---|---|
| Validating JWT with DB call every request | 0 (server-side) | 0 | 0 | [X] Bad |
| Validating JWT with embedded claims and no DB call | 0 (server-side) | 0 | 0 | [OK] Good |
Rendering Pipeline
JWT authentication happens mostly server-side before the response is sent, affecting the time to first byte and interaction responsiveness.
→Server Processing
→Network Transfer
⚠️ BottleneckServer Processing due to token parsing and validation logic
Core Web Vital Affected
INP
This affects page load speed by adding token validation steps during API calls and impacts interaction responsiveness when verifying tokens.
Optimization Tips
1Avoid database calls during JWT validation on every request.
2Embed necessary user info and roles inside the JWT token.
3Cache validation results to reduce repeated processing.
Performance Quiz - 3 Questions
Test your performance knowledge
What is a common performance issue when validating JWT tokens on every API request?
DevTools: Network
How to check: Open DevTools, go to Network tab, inspect API request timings and look at Time to First Byte (TTFB) to see server response delays.
What to look for: High TTFB indicates slow server-side JWT validation; lower TTFB means faster authentication processing.
Practice
1. What is the main purpose of using a JWT token in Spring Boot authentication?
easy
Solution
Step 1: Understand JWT token role
JWT tokens are used to prove user identity securely without resending passwords.Step 2: Compare options with JWT purpose
Only To securely transmit user identity without sending passwords every time correctly describes this purpose; others are unrelated or incorrect.Final Answer:
To securely transmit user identity without sending passwords every time -> Option BQuick Check:
JWT token purpose = secure identity proof [OK]
Hint: JWT tokens prove identity without passwords [OK]
Common Mistakes:
- Thinking JWT stores passwords
- Confusing JWT with data encryption
- Assuming JWT replaces HTTPS
2. Which of the following is the correct way to extract the JWT token from an HTTP request header in Spring Boot?
easy
Solution
Step 1: Identify JWT token location in HTTP request
JWT tokens are usually sent in the Authorization header with prefix "Bearer ".Step 2: Extract token correctly
String token = request.getHeader("Authorization").substring(7); extracts the header and removes the "Bearer " prefix (7 characters), which is correct.Final Answer:
String token = request.getHeader("Authorization").substring(7); -> Option DQuick Check:
Extract JWT from Authorization header [OK]
Hint: JWT is in Authorization header with 'Bearer ' prefix [OK]
Common Mistakes:
- Using request parameters instead of headers
- Trying to get token from request body
- Assuming token is in cookies by default
3. Given this Spring Boot JWT validation snippet, what will be the output if the token is expired?
try {
Jwts.parserBuilder().setSigningKey(key).build().parseClaimsJws(token);
System.out.println("Token is valid");
} catch (ExpiredJwtException e) {
System.out.println("Token expired");
} catch (JwtException e) {
System.out.println("Invalid token");
}medium
Solution
Step 1: Understand exception handling in JWT parsing
If the token is expired, the parser throws ExpiredJwtException, caught by the first catch block.Step 2: Identify printed output for expired token
The catch block prints "Token expired" when ExpiredJwtException occurs.Final Answer:
Token expired -> Option CQuick Check:
Expired token triggers ExpiredJwtException [OK]
Hint: ExpiredJwtException means token expired [OK]
Common Mistakes:
- Confusing expired token with invalid token
- Ignoring exception handling order
- Assuming no output on exceptions
4. Identify the error in this JWT token generation code snippet in Spring Boot:
String token = Jwts.builder() .setSubject(username) .signWith(SignatureAlgorithm.HS256, secretKey) .compact();
medium
Solution
Step 1: Check jjwt signing method usage
In recent jjwt versions, signWith requires a Key object, not just algorithm and string key.Step 2: Identify correct signing method
Using signWith(SignatureAlgorithm, String) is deprecated and causes errors; must use signWith(Key).Final Answer:
Incorrect method to set signing key in new jjwt versions -> Option AQuick Check:
Use Key object with signWith in jjwt [OK]
Hint: Use Key object, not algorithm + string, in signWith [OK]
Common Mistakes:
- Ignoring jjwt version changes
- Assuming string key is accepted directly
- Confusing expiration with signing errors
5. You want to implement JWT authentication in Spring Boot that automatically rejects tokens older than 15 minutes and refreshes tokens on each valid request. Which approach correctly combines expiration and refresh logic?
hard
Solution
Step 1: Understand token expiration and refresh needs
To reject tokens older than 15 minutes, set expiration to 15 minutes.Step 2: Implement refresh on each valid request
Issuing a new token with updated expiration on each valid request keeps user session active securely.Final Answer:
Set token expiration to 15 minutes and issue a new token with updated expiration on each valid request -> Option AQuick Check:
Short expiration + refresh token = secure session [OK]
Hint: Short expiration plus refresh token on requests [OK]
Common Mistakes:
- Not refreshing tokens causing forced logouts
- Setting too long expiration risking security
- Ignoring expiration causing infinite sessions