Bird
Raised Fist0
Spring Bootframework~5 mins

JWT structure (header, payload, signature) in Spring Boot

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

A JWT (JSON Web Token) securely transfers information between two parties. It has three parts that keep data safe and verifiable.

When you want to securely send user identity from a login server to a client.
When you need to verify that data has not been changed during transmission.
When you want to store user session info without server-side storage.
When building APIs that require stateless authentication.
When you want to pass claims (like user roles) safely between services.
Syntax
Spring Boot
JWT = header.payload.signature

header = {"alg": "HS256", "typ": "JWT"}
payload = {"sub": "1234567890", "name": "John Doe", "iat": 1516239022}
signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

The header and payload are JSON objects encoded in Base64Url.

The signature is created by hashing the header and payload with a secret key.

Examples
This header says the token uses HMAC SHA-256 algorithm and is a JWT.
Spring Boot
{"alg":"HS256","typ":"JWT"}
This payload contains user ID, name, and issued-at time.
Spring Boot
{"sub":"1234567890","name":"John Doe","iat":1516239022}
The signature ensures the token is not tampered with.
Spring Boot
signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Sample Program

This Spring Boot application exposes a REST endpoint GET /jwt/structure that generates a JWT token and returns its three parts as JSON. Add spring-boot-starter-web to your pom.xml, run with mvn spring-boot:run, and access http://localhost:8080/jwt/structure.

Spring Boot
package com.example.jwtstructure;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import java.util.Base64;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

@SpringBootApplication
@RestController
public class JwtStructure {

    public static void main(String[] args) {
        SpringApplication.run(JwtStructure.class, args);
    }

    @GetMapping("/jwt/structure")
    public Map<String, String> jwtStructure() throws Exception {
        String headerJson = "{\"alg\":\"HS256\",\"typ\":\"JWT\"}";
        String payloadJson = "{\"sub\":\"1234567890\",\"name\":\"John Doe\",\"iat\":1516239022}";
        String secret = "secret";

        String headerEncoded = Base64.getUrlEncoder().withoutPadding().encodeToString(headerJson.getBytes(java.nio.charset.StandardCharsets.UTF_8));
        String payloadEncoded = Base64.getUrlEncoder().withoutPadding().encodeToString(payloadJson.getBytes(java.nio.charset.StandardCharsets.UTF_8));

        String data = headerEncoded + "." + payloadEncoded;

        Mac hmac = Mac.getInstance("HmacSHA256");
        SecretKeySpec keySpec = new SecretKeySpec(secret.getBytes(java.nio.charset.StandardCharsets.UTF_8), "HmacSHA256");
        hmac.init(keySpec);
        byte[] signatureBytes = hmac.doFinal(data.getBytes(java.nio.charset.StandardCharsets.UTF_8));
        String signatureEncoded = Base64.getUrlEncoder().withoutPadding().encodeToString(signatureBytes);

        String jwt = data + "." + signatureEncoded;

        Map<String, String> response = new LinkedHashMap<>();
        response.put("Header (Base64Url)", headerEncoded);
        response.put("Payload (Base64Url)", payloadEncoded);
        response.put("Signature (Base64Url)", signatureEncoded);
        response.put("Complete JWT Token", jwt);

        return response;
    }
}
OutputSuccess
Important Notes

The signature part protects the token from being changed by others.

Base64Url encoding is like Base64 but safe for URLs (no + or / characters).

Never share your secret key publicly; it keeps your tokens secure.

For Spring Boot, include <dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency> in pom.xml.

Summary

A JWT has three parts: header, payload, and signature.

The header and payload are JSON data encoded in Base64Url.

The signature is a hash that proves the token is authentic and unchanged.

Practice

(1/5)
1. Which part of a JWT contains information about the algorithm used for signing the token?
easy
A. Payload
B. Header
C. Signature
D. Issuer

Solution

  1. Step 1: Understand JWT parts

    A JWT has three parts: header, payload, and signature.

  2. Step 2: Identify algorithm info location

    The header contains metadata including the signing algorithm used.

  3. Final Answer:

    Header -> Option B

  4. Quick Check:

    Algorithm info = Header [OK]
Hint: Algorithm info is always in the JWT header [OK]
Common Mistakes:
  • Confusing payload with header
  • Thinking signature contains algorithm info
  • Assuming issuer is a JWT part
2. Which of the following correctly represents the order of parts in a JWT string?
easy
A. Header.Payload.Signature
B. Signature.Payload.Header
C. Payload.Header.Signature
D. Header.Signature.Payload

Solution

  1. Step 1: Recall JWT format

    A JWT is a string with three parts separated by dots.

  2. Step 2: Confirm correct order

    The order is header first, then payload, then signature.

  3. Final Answer:

    Header.Payload.Signature -> Option A

  4. Quick Check:

    JWT order = Header.Payload.Signature [OK]
Hint: JWT parts order: header, payload, then signature [OK]
Common Mistakes:
  • Mixing up header and payload order
  • Placing signature in the middle
  • Assuming signature comes first
3. Given this JWT string: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiam9obiJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c, what does the middle part represent?
medium
A. Algorithm type
B. Encoded header
C. Signature hash
D. Encoded payload

Solution

  1. Step 1: Identify JWT parts by position

    The JWT has three parts separated by dots: header.payload.signature.

  2. Step 2: Locate the middle part

    The middle part is the payload, which contains user data encoded in Base64Url.

  3. Final Answer:

    Encoded payload -> Option D

  4. Quick Check:

    Middle JWT part = Payload [OK]
Hint: Middle JWT part is always the payload [OK]
Common Mistakes:
  • Confusing payload with header
  • Thinking signature is in the middle
  • Assuming algorithm is separate part
4. You receive a JWT but the signature part is missing. What issue will this cause?
medium
A. The token will expire immediately
B. The payload will be unreadable
C. The token cannot be verified for authenticity
D. The header will be invalid JSON

Solution

  1. Step 1: Understand the role of signature

    The signature proves the token is authentic and unchanged.

  2. Step 2: Consequence of missing signature

    Without the signature, the token cannot be verified and may be tampered with.

  3. Final Answer:

    The token cannot be verified for authenticity -> Option C

  4. Quick Check:

    Missing signature = No verification [OK]
Hint: Signature missing means no token verification possible [OK]
Common Mistakes:
  • Thinking payload becomes unreadable
  • Assuming header JSON breaks
  • Believing token expires immediately
5. In a Spring Boot application, you want to verify a JWT token. Which sequence correctly describes the verification steps?
hard
A. Decode header and payload, then verify signature using secret key
B. Verify signature first, then decode payload and header
C. Decode signature, then verify payload and header
D. Decode payload only, signature is not needed for verification

Solution

  1. Step 1: Decode header and payload

    First, decode the header and payload from Base64Url to read their contents.

  2. Step 2: Verify signature using secret key

    Use the secret key and header info to verify the signature matches the token data.

  3. Final Answer:

    Decode header and payload, then verify signature using secret key -> Option A

  4. Quick Check:

    Decode then verify signature = Correct process [OK]
Hint: Always decode first, then verify signature with secret [OK]
Common Mistakes:
  • Trying to verify signature before decoding
  • Ignoring signature verification
  • Decoding signature as if it contains data