Bird
Raised Fist0
Spring Bootframework~8 mins

JWT generation in Spring Boot - Performance & Optimization

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Performance: JWT generation
MEDIUM IMPACT
JWT generation affects server response time and CPU usage during authentication processes.
Generating JWT tokens for user authentication
Spring Boot
Key key = Keys.hmacShaKeyFor(secretKey.getBytes(StandardCharsets.UTF_8));
String token = Jwts.builder()
  .setSubject(user.getUsername())
  .setExpiration(Date.from(Instant.now().plus(1, ChronoUnit.HOURS)))
  .signWith(key, SignatureAlgorithm.HS256)
  .compact();
Using a properly generated Key object with modern API reduces CPU overhead and improves security.
📈 Performance GainReduces token generation time by 30-50%, lowering authentication latency
Generating JWT tokens for user authentication
Spring Boot
String token = Jwts.builder()
  .setSubject(user.getUsername())
  .setExpiration(new Date(System.currentTimeMillis() + 3600000))
  .signWith(SignatureAlgorithm.HS256, secretKey.getBytes())
  .compact();
Using a raw byte array for the secret key without proper key management and using deprecated signWith method overload causes unnecessary CPU overhead and potential security risks.
📉 Performance CostBlocks authentication response for 10-20ms per token generation under load
Performance Comparison
PatternCPU UsageResponse DelaySecurity ImpactVerdict
Raw byte key with deprecated signWithHigh10-20ms delayPotential security risk[X] Bad
Proper Key object with modern APILow5-10ms delaySecure and efficient[OK] Good
Rendering Pipeline
JWT generation happens on the server before sending the response. It impacts server CPU and delays response delivery, affecting user interaction speed.
Server CPU processing
Response generation
⚠️ BottleneckCPU processing during token signing
Core Web Vital Affected
INP
JWT generation affects server response time and CPU usage during authentication processes.
Optimization Tips
1Use modern JWT libraries with proper key management to reduce CPU load.
2Avoid deprecated methods that cause unnecessary processing overhead.
3Monitor authentication response times to detect JWT generation bottlenecks.
Performance Quiz - 3 Questions
Test your performance knowledge
What is the main performance cost of JWT generation on the server?
ANetwork bandwidth for token size
BCPU usage during token signing
CClient-side rendering delay
DDisk I/O for token storage
DevTools: Network
How to check: Open DevTools, go to Network tab, filter authentication requests, and check response times for token generation endpoints.
What to look for: Look for longer server response times indicating slow JWT generation.

Practice

(1/5)
1. What is the main purpose of generating a JWT (JSON Web Token) in a Spring Boot application?
easy
A. To securely identify users without storing session data on the server
B. To store user passwords in the database
C. To create HTML pages dynamically
D. To manage database connections

Solution

  1. Step 1: Understand JWT purpose

    JWTs are used to securely identify users by encoding user info and signing it.

  2. Step 2: Compare options

    Only To securely identify users without storing session data on the server describes JWT's role in stateless authentication without server sessions.

  3. Final Answer:

    To securely identify users without storing session data on the server -> Option A

  4. Quick Check:

    JWT purpose = secure user identity without sessions [OK]
Hint: JWTs identify users without server sessions [OK]
Common Mistakes:
  • Confusing JWT with session storage
  • Thinking JWT stores passwords
  • Assuming JWT creates web pages
2. Which of the following code snippets correctly initializes a JWT builder using the jjwt library in Spring Boot?
easy
A. JwtBuilder().setSubject("user").sign(secretKey).build();
B. Jwts.builder().subject("user").sign(secretKey).compact();
C. Jwts.create().subject("user").signWith(secretKey).generate();
D. Jwts.builder().setSubject("user").signWith(secretKey).compact();

Solution

  1. Step 1: Recall jjwt syntax

    The correct method chain starts with Jwts.builder(), uses setSubject(), signWith(), then compact().

  2. Step 2: Check each option

    Jwts.builder().setSubject("user").signWith(secretKey).compact(); matches the correct method names and order. Others use incorrect method names or chaining.

  3. Final Answer:

    Jwts.builder().setSubject("user").signWith(secretKey).compact(); -> Option D

  4. Quick Check:

    Correct jjwt builder syntax = Jwts.builder().setSubject("user").signWith(secretKey).compact(); [OK]
Hint: Use Jwts.builder(), setSubject(), signWith(), compact() [OK]
Common Mistakes:
  • Using incorrect method names like sign() instead of signWith()
  • Missing Jwts.builder() start
  • Using create() or build() instead of compact()
3. Given the following code snippet, what will be the output type of the token variable?
String token = Jwts.builder()
  .setSubject("user123")
  .signWith(secretKey)
  .compact();
medium
A. A JSON object representing the token
B. A signed JWT string token
C. A byte array of the token
D. An exception is thrown

Solution

  1. Step 1: Understand compact() output

    The compact() method returns the JWT as a compact URL-safe string.

  2. Step 2: Analyze code snippet

    The code builds a JWT with subject and signs it, then calls compact(), so token is a String.

  3. Final Answer:

    A signed JWT string token -> Option B

  4. Quick Check:

    compact() returns String token [OK]
Hint: compact() returns JWT as a string [OK]
Common Mistakes:
  • Expecting a JSON object instead of string
  • Thinking output is byte array
  • Assuming code throws exception without error
4. Identify the error in this JWT generation code snippet:
String token = Jwts.builder()
  .setSubject("user")
  .signWith("mySecretKey")
  .compact();
medium
A. Jwts.builder() is not a valid method
B. setSubject() cannot accept a String
C. signWith() requires a Key object, not a String
D. compact() should be called before signWith()

Solution

  1. Step 1: Check signWith() parameter type

    signWith() expects a java.security.Key or SecretKey, not a plain String.

  2. Step 2: Verify other methods

    setSubject() accepts String, compact() is correctly called last, and Jwts.builder() is valid.

  3. Final Answer:

    signWith() requires a Key object, not a String -> Option C

  4. Quick Check:

    signWith() needs Key, not String [OK]
Hint: Use Key object with signWith(), not plain String [OK]
Common Mistakes:
  • Passing String directly to signWith()
  • Calling compact() too early
  • Misunderstanding setSubject() input
5. You want to generate a JWT in Spring Boot that expires in 10 minutes. Which code snippet correctly sets the expiration time using jjwt?
hard
A. Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact();
B. Jwts.builder().setSubject("user").setExpiry(600000).signWith(secretKey).compact();
C. Jwts.builder().setSubject("user").setExpiration(600000).signWith(secretKey).compact();
D. Jwts.builder().setSubject("user").setExpiresAt(new Date(600000)).signWith(secretKey).compact();

Solution

  1. Step 1: Understand expiration setting in jjwt

    setExpiration() expects a Date object representing the expiration time.

  2. Step 2: Calculate expiration time

    Use current time plus 600000 milliseconds (10 minutes) to set expiration correctly.

  3. Step 3: Check options

    Only Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact(); correctly uses setExpiration() with new Date(System.currentTimeMillis() + 600000).

  4. Final Answer:

    Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact(); -> Option A

  5. Quick Check:

    setExpiration(Date) with currentTime + 10min = Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact(); [OK]
Hint: Use setExpiration(new Date(System.currentTimeMillis() + millis)) [OK]
Common Mistakes:
  • Using setExpiry() or setExpiresAt() which don't exist
  • Passing milliseconds directly instead of Date
  • Setting expiration to a fixed past date