JWT structure (header, payload, signature) in Spring Boot - Syntax, Examples & Explanation

Introduction

A JWT (JSON Web Token) securely transfers information between two parties. It has three parts that keep data safe and verifiable.

When you want to securely send user identity from a login server to a client.

When you need to verify that data has not been changed during transmission.

When you want to store user session info without server-side storage.

When building APIs that require stateless authentication.

When you want to pass claims (like user roles) safely between services.

Syntax

Spring Boot

JWT = header.payload.signature

header = {"alg": "HS256", "typ": "JWT"}
payload = {"sub": "1234567890", "name": "John Doe", "iat": 1516239022}
signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

The header and payload are JSON objects encoded in Base64Url.

The signature is created by hashing the header and payload with a secret key.

Examples

This header says the token uses HMAC SHA-256 algorithm and is a JWT.

Spring Boot

{"alg":"HS256","typ":"JWT"}

This payload contains user ID, name, and issued-at time.

Spring Boot

{"sub":"1234567890","name":"John Doe","iat":1516239022}

The signature ensures the token is not tampered with.

Spring Boot

signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Sample Program

This Spring Boot application exposes a REST endpoint GET /jwt/structure that generates a JWT token and returns its three parts as JSON. Add spring-boot-starter-web to your pom.xml, run with mvn spring-boot:run, and access http://localhost:8080/jwt/structure.

Spring Boot

package com.example.jwtstructure;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import java.util.Base64;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

@SpringBootApplication
@RestController
public class JwtStructure {

    public static void main(String[] args) {
        SpringApplication.run(JwtStructure.class, args);
    }

    @GetMapping("/jwt/structure")
    public Map<String, String> jwtStructure() throws Exception {
        String headerJson = "{\"alg\":\"HS256\",\"typ\":\"JWT\"}";
        String payloadJson = "{\"sub\":\"1234567890\",\"name\":\"John Doe\",\"iat\":1516239022}";
        String secret = "secret";

        String headerEncoded = Base64.getUrlEncoder().withoutPadding().encodeToString(headerJson.getBytes(java.nio.charset.StandardCharsets.UTF_8));
        String payloadEncoded = Base64.getUrlEncoder().withoutPadding().encodeToString(payloadJson.getBytes(java.nio.charset.StandardCharsets.UTF_8));

        String data = headerEncoded + "." + payloadEncoded;

        Mac hmac = Mac.getInstance("HmacSHA256");
        SecretKeySpec keySpec = new SecretKeySpec(secret.getBytes(java.nio.charset.StandardCharsets.UTF_8), "HmacSHA256");
        hmac.init(keySpec);
        byte[] signatureBytes = hmac.doFinal(data.getBytes(java.nio.charset.StandardCharsets.UTF_8));
        String signatureEncoded = Base64.getUrlEncoder().withoutPadding().encodeToString(signatureBytes);

        String jwt = data + "." + signatureEncoded;

        Map<String, String> response = new LinkedHashMap<>();
        response.put("Header (Base64Url)", headerEncoded);
        response.put("Payload (Base64Url)", payloadEncoded);
        response.put("Signature (Base64Url)", signatureEncoded);
        response.put("Complete JWT Token", jwt);

        return response;
    }
}

OutputSuccess

Important Notes

The signature part protects the token from being changed by others.

Base64Url encoding is like Base64 but safe for URLs (no + or / characters).

Never share your secret key publicly; it keeps your tokens secure.

For Spring Boot, include <dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency> in pom.xml.

Summary

A JWT has three parts: header, payload, and signature.

The header and payload are JSON data encoded in Base64Url.

The signature is a hash that proves the token is authentic and unchanged.