Bird
Raised Fist0
Spring Bootframework~5 mins

JWT generation in Spring Boot

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

JWT generation creates a secure token to identify users safely. It helps servers know who is making requests without asking for passwords every time.

When you want users to log in once and stay logged in securely.
When your app needs to check user identity on many requests without storing session data.
When building APIs that need to verify user permissions quickly.
When you want to share user info safely between different parts of your app.
Syntax
Spring Boot
String jwt = Jwts.builder()
    .setSubject(username)
    .setIssuedAt(new Date())
    .setExpiration(new Date(System.currentTimeMillis() + expirationTime))
    .signWith(Keys.hmacShaKeyFor(secretKey.getBytes()), SignatureAlgorithm.HS256)
    .compact();

setSubject sets the user identity inside the token.

signWith uses a secret key to make the token secure and hard to fake.

Examples
Simple token with only user ID and signature.
Spring Boot
String token = Jwts.builder()
    .setSubject("user123")
    .signWith(Keys.hmacShaKeyFor("mySecretKeymySecretKeymySecretKeymySecretKey".getBytes()), SignatureAlgorithm.HS256)
    .compact();
Token with issue time and expiration set to 1 hour later.
Spring Boot
String token = Jwts.builder()
    .setSubject("user123")
    .setIssuedAt(new Date())
    .setExpiration(new Date(System.currentTimeMillis() + 3600000))
    .signWith(Keys.hmacShaKeyFor("mySecretKeymySecretKeymySecretKeymySecretKey".getBytes()), SignatureAlgorithm.HS256)
    .compact();
Sample Program

This Spring Boot compatible Java class creates a JWT token for a username. It sets the token to expire in 1 hour and signs it with a secret key. The main method prints the token.

Spring Boot
package com.example.jwt;

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.security.Keys;
import java.util.Date;
import javax.crypto.SecretKey;

public class JwtGenerator {
    private static final String SECRET_KEY_STRING = "mySecretKeymySecretKeymySecretKeymySecretKey";
    private static final SecretKey SECRET_KEY = Keys.hmacShaKeyFor(SECRET_KEY_STRING.getBytes());
    private static final long EXPIRATION_TIME = 3600000; // 1 hour in milliseconds

    public static String generateToken(String username) {
        return Jwts.builder()
            .setSubject(username)
            .setIssuedAt(new Date())
            .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
            .signWith(SECRET_KEY, SignatureAlgorithm.HS256)
            .compact();
    }

    public static void main(String[] args) {
        String token = generateToken("user123");
        System.out.println("Generated JWT Token:");
        System.out.println(token);
    }
}
OutputSuccess
Important Notes

Keep your secret key safe and never share it publicly.

Tokens expire to keep security strong; always set expiration.

Use libraries like jjwt for easy JWT handling in Spring Boot.

Summary

JWT tokens securely identify users without storing sessions.

Use a secret key to sign tokens and set expiration times.

Spring Boot apps can generate JWTs using the jjwt library easily.

Practice

(1/5)
1. What is the main purpose of generating a JWT (JSON Web Token) in a Spring Boot application?
easy
A. To securely identify users without storing session data on the server
B. To store user passwords in the database
C. To create HTML pages dynamically
D. To manage database connections

Solution

  1. Step 1: Understand JWT purpose

    JWTs are used to securely identify users by encoding user info and signing it.

  2. Step 2: Compare options

    Only To securely identify users without storing session data on the server describes JWT's role in stateless authentication without server sessions.

  3. Final Answer:

    To securely identify users without storing session data on the server -> Option A

  4. Quick Check:

    JWT purpose = secure user identity without sessions [OK]
Hint: JWTs identify users without server sessions [OK]
Common Mistakes:
  • Confusing JWT with session storage
  • Thinking JWT stores passwords
  • Assuming JWT creates web pages
2. Which of the following code snippets correctly initializes a JWT builder using the jjwt library in Spring Boot?
easy
A. JwtBuilder().setSubject("user").sign(secretKey).build();
B. Jwts.builder().subject("user").sign(secretKey).compact();
C. Jwts.create().subject("user").signWith(secretKey).generate();
D. Jwts.builder().setSubject("user").signWith(secretKey).compact();

Solution

  1. Step 1: Recall jjwt syntax

    The correct method chain starts with Jwts.builder(), uses setSubject(), signWith(), then compact().

  2. Step 2: Check each option

    Jwts.builder().setSubject("user").signWith(secretKey).compact(); matches the correct method names and order. Others use incorrect method names or chaining.

  3. Final Answer:

    Jwts.builder().setSubject("user").signWith(secretKey).compact(); -> Option D

  4. Quick Check:

    Correct jjwt builder syntax = Jwts.builder().setSubject("user").signWith(secretKey).compact(); [OK]
Hint: Use Jwts.builder(), setSubject(), signWith(), compact() [OK]
Common Mistakes:
  • Using incorrect method names like sign() instead of signWith()
  • Missing Jwts.builder() start
  • Using create() or build() instead of compact()
3. Given the following code snippet, what will be the output type of the token variable?
String token = Jwts.builder()
  .setSubject("user123")
  .signWith(secretKey)
  .compact();
medium
A. A JSON object representing the token
B. A signed JWT string token
C. A byte array of the token
D. An exception is thrown

Solution

  1. Step 1: Understand compact() output

    The compact() method returns the JWT as a compact URL-safe string.

  2. Step 2: Analyze code snippet

    The code builds a JWT with subject and signs it, then calls compact(), so token is a String.

  3. Final Answer:

    A signed JWT string token -> Option B

  4. Quick Check:

    compact() returns String token [OK]
Hint: compact() returns JWT as a string [OK]
Common Mistakes:
  • Expecting a JSON object instead of string
  • Thinking output is byte array
  • Assuming code throws exception without error
4. Identify the error in this JWT generation code snippet:
String token = Jwts.builder()
  .setSubject("user")
  .signWith("mySecretKey")
  .compact();
medium
A. Jwts.builder() is not a valid method
B. setSubject() cannot accept a String
C. signWith() requires a Key object, not a String
D. compact() should be called before signWith()

Solution

  1. Step 1: Check signWith() parameter type

    signWith() expects a java.security.Key or SecretKey, not a plain String.

  2. Step 2: Verify other methods

    setSubject() accepts String, compact() is correctly called last, and Jwts.builder() is valid.

  3. Final Answer:

    signWith() requires a Key object, not a String -> Option C

  4. Quick Check:

    signWith() needs Key, not String [OK]
Hint: Use Key object with signWith(), not plain String [OK]
Common Mistakes:
  • Passing String directly to signWith()
  • Calling compact() too early
  • Misunderstanding setSubject() input
5. You want to generate a JWT in Spring Boot that expires in 10 minutes. Which code snippet correctly sets the expiration time using jjwt?
hard
A. Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact();
B. Jwts.builder().setSubject("user").setExpiry(600000).signWith(secretKey).compact();
C. Jwts.builder().setSubject("user").setExpiration(600000).signWith(secretKey).compact();
D. Jwts.builder().setSubject("user").setExpiresAt(new Date(600000)).signWith(secretKey).compact();

Solution

  1. Step 1: Understand expiration setting in jjwt

    setExpiration() expects a Date object representing the expiration time.

  2. Step 2: Calculate expiration time

    Use current time plus 600000 milliseconds (10 minutes) to set expiration correctly.

  3. Step 3: Check options

    Only Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact(); correctly uses setExpiration() with new Date(System.currentTimeMillis() + 600000).

  4. Final Answer:

    Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact(); -> Option A

  5. Quick Check:

    setExpiration(Date) with currentTime + 10min = Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact(); [OK]
Hint: Use setExpiration(new Date(System.currentTimeMillis() + millis)) [OK]
Common Mistakes:
  • Using setExpiry() or setExpiresAt() which don't exist
  • Passing milliseconds directly instead of Date
  • Setting expiration to a fixed past date