Bird
Raised Fist0
Spring Bootframework~10 mins

JWT generation in Spring Boot - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - JWT generation
Start JWT Generation
Create JWT Header
Create JWT Payload
Sign JWT with Secret Key
Combine Header, Payload, Signature
Return JWT Token
End
This flow shows how a JWT token is created step-by-step: header and payload are prepared, then signed with a secret key, and finally combined into a token string.
Execution Sample
Spring Boot
String jwt = Jwts.builder()
  .setSubject("user123")
  .setIssuedAt(new Date())
  .setExpiration(new Date(System.currentTimeMillis() + 3600000))
  .signWith(key, SignatureAlgorithm.HS256)
  .compact();
This code builds a JWT token with a subject, issue time, expiration, signs it, and returns the compact token string.
Execution Table
StepActionData Created/EvaluatedResult
1Create JWT Header{"alg":"HS256","typ":"JWT"}Header JSON object
2Create JWT Payload{"sub":"user123","iat":<now>,"exp":<now+1h>}Payload JSON object
3Sign JWTHeader + Payload + Secret KeySignature string
4Combine partsBase64Url(Header).Base64Url(Payload).SignatureJWT token string
5Return JWTJWT token stringToken ready for client use
6EndProcess completeJWT generation finished
💡 JWT token is fully generated and returned after combining header, payload, and signature.
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
headernull{"alg":"HS256","typ":"JWT"}{"alg":"HS256","typ":"JWT"}{"alg":"HS256","typ":"JWT"}{"alg":"HS256","typ":"JWT"}{"alg":"HS256","typ":"JWT"}
payloadnullnull{"sub":"user123","iat":<now>,"exp":<now+1h>}{"sub":"user123","iat":<now>,"exp":<now+1h>}{"sub":"user123","iat":<now>,"exp":<now+1h>}{"sub":"user123","iat":<now>,"exp":<now+1h>}
signaturenullnullnullsignatureStringsignatureStringsignatureString
jwtTokennullnullnullnullheader.payload.signatureheader.payload.signature
Key Moments - 3 Insights
Why do we need to sign the JWT after creating header and payload?
Signing ensures the token is secure and cannot be tampered with. The signature is created from header and payload plus a secret key, as shown in step 3 of the execution_table.
What does the 'compact()' method do in JWT generation?
The 'compact()' method combines the Base64Url encoded header, payload, and signature into a single string token, as shown in step 4 of the execution_table.
Why do we set an expiration time in the payload?
Expiration limits how long the token is valid for security reasons. The payload includes 'exp' field with a timestamp, as seen in step 2 of the execution_table.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is created at step 2?
AJWT Header JSON object
BJWT Payload JSON object
CJWT Signature string
DFinal JWT token string
💡 Hint
Check the 'Data Created/Evaluated' column at step 2 in the execution_table.
At which step is the JWT token string formed?
AStep 4
BStep 1
CStep 3
DStep 5
💡 Hint
Look for the step where header, payload, and signature are combined into one string in the execution_table.
If the secret key changes, which step's output will be different?
AStep 1 - Header creation
BStep 2 - Payload creation
CStep 3 - Signing
DStep 4 - Combining parts
💡 Hint
Signing uses the secret key, so check the 'Sign JWT' step in the execution_table.
Concept Snapshot
JWT generation in Spring Boot:
- Build header and payload JSON objects
- Set claims like subject, issuedAt, expiration
- Sign with secret key using signWith()
- Use compact() to get token string
- Token = header.payload.signature
- Token is secure and time-limited
Full Transcript
JWT generation in Spring Boot involves creating a header and payload with claims like subject and expiration. Then the token is signed with a secret key to ensure security. Finally, the parts are combined into a compact string token that can be sent to clients. This process ensures the token is valid and tamper-proof for a limited time.

Practice

(1/5)
1. What is the main purpose of generating a JWT (JSON Web Token) in a Spring Boot application?
easy
A. To securely identify users without storing session data on the server
B. To store user passwords in the database
C. To create HTML pages dynamically
D. To manage database connections

Solution

  1. Step 1: Understand JWT purpose

    JWTs are used to securely identify users by encoding user info and signing it.

  2. Step 2: Compare options

    Only To securely identify users without storing session data on the server describes JWT's role in stateless authentication without server sessions.

  3. Final Answer:

    To securely identify users without storing session data on the server -> Option A

  4. Quick Check:

    JWT purpose = secure user identity without sessions [OK]
Hint: JWTs identify users without server sessions [OK]
Common Mistakes:
  • Confusing JWT with session storage
  • Thinking JWT stores passwords
  • Assuming JWT creates web pages
2. Which of the following code snippets correctly initializes a JWT builder using the jjwt library in Spring Boot?
easy
A. JwtBuilder().setSubject("user").sign(secretKey).build();
B. Jwts.builder().subject("user").sign(secretKey).compact();
C. Jwts.create().subject("user").signWith(secretKey).generate();
D. Jwts.builder().setSubject("user").signWith(secretKey).compact();

Solution

  1. Step 1: Recall jjwt syntax

    The correct method chain starts with Jwts.builder(), uses setSubject(), signWith(), then compact().

  2. Step 2: Check each option

    Jwts.builder().setSubject("user").signWith(secretKey).compact(); matches the correct method names and order. Others use incorrect method names or chaining.

  3. Final Answer:

    Jwts.builder().setSubject("user").signWith(secretKey).compact(); -> Option D

  4. Quick Check:

    Correct jjwt builder syntax = Jwts.builder().setSubject("user").signWith(secretKey).compact(); [OK]
Hint: Use Jwts.builder(), setSubject(), signWith(), compact() [OK]
Common Mistakes:
  • Using incorrect method names like sign() instead of signWith()
  • Missing Jwts.builder() start
  • Using create() or build() instead of compact()
3. Given the following code snippet, what will be the output type of the token variable?
String token = Jwts.builder()
  .setSubject("user123")
  .signWith(secretKey)
  .compact();
medium
A. A JSON object representing the token
B. A signed JWT string token
C. A byte array of the token
D. An exception is thrown

Solution

  1. Step 1: Understand compact() output

    The compact() method returns the JWT as a compact URL-safe string.

  2. Step 2: Analyze code snippet

    The code builds a JWT with subject and signs it, then calls compact(), so token is a String.

  3. Final Answer:

    A signed JWT string token -> Option B

  4. Quick Check:

    compact() returns String token [OK]
Hint: compact() returns JWT as a string [OK]
Common Mistakes:
  • Expecting a JSON object instead of string
  • Thinking output is byte array
  • Assuming code throws exception without error
4. Identify the error in this JWT generation code snippet:
String token = Jwts.builder()
  .setSubject("user")
  .signWith("mySecretKey")
  .compact();
medium
A. Jwts.builder() is not a valid method
B. setSubject() cannot accept a String
C. signWith() requires a Key object, not a String
D. compact() should be called before signWith()

Solution

  1. Step 1: Check signWith() parameter type

    signWith() expects a java.security.Key or SecretKey, not a plain String.

  2. Step 2: Verify other methods

    setSubject() accepts String, compact() is correctly called last, and Jwts.builder() is valid.

  3. Final Answer:

    signWith() requires a Key object, not a String -> Option C

  4. Quick Check:

    signWith() needs Key, not String [OK]
Hint: Use Key object with signWith(), not plain String [OK]
Common Mistakes:
  • Passing String directly to signWith()
  • Calling compact() too early
  • Misunderstanding setSubject() input
5. You want to generate a JWT in Spring Boot that expires in 10 minutes. Which code snippet correctly sets the expiration time using jjwt?
hard
A. Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact();
B. Jwts.builder().setSubject("user").setExpiry(600000).signWith(secretKey).compact();
C. Jwts.builder().setSubject("user").setExpiration(600000).signWith(secretKey).compact();
D. Jwts.builder().setSubject("user").setExpiresAt(new Date(600000)).signWith(secretKey).compact();

Solution

  1. Step 1: Understand expiration setting in jjwt

    setExpiration() expects a Date object representing the expiration time.

  2. Step 2: Calculate expiration time

    Use current time plus 600000 milliseconds (10 minutes) to set expiration correctly.

  3. Step 3: Check options

    Only Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact(); correctly uses setExpiration() with new Date(System.currentTimeMillis() + 600000).

  4. Final Answer:

    Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact(); -> Option A

  5. Quick Check:

    setExpiration(Date) with currentTime + 10min = Jwts.builder().setSubject("user").setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(secretKey).compact(); [OK]
Hint: Use setExpiration(new Date(System.currentTimeMillis() + millis)) [OK]
Common Mistakes:
  • Using setExpiry() or setExpiresAt() which don't exist
  • Passing milliseconds directly instead of Date
  • Setting expiration to a fixed past date