Bird
Raised Fist0
Spring Bootframework~20 mins

JWT structure (header, payload, signature) in Spring Boot - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
JWT Mastery Badge
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
1:30remaining
What does the JWT header typically contain?
In a JWT token, the header part is a JSON object. What information does it usually hold?
AThe user's personal data like name and email
BThe signature to verify the token's authenticity
CThe expiration date and issued time of the token
DThe algorithm used for signing and the token type
Attempts:
2 left
💡 Hint
Think about what the system needs to know to verify the token's signature.
component_behavior
intermediate
1:30remaining
What is stored in the JWT payload?
The payload section of a JWT contains claims. What kind of information is typically stored here?
AThe algorithm used for signing the token
BThe secret key used to sign the token
CClaims about the user and token metadata like expiration
DThe encoded signature of the token
Attempts:
2 left
💡 Hint
Think about what data the server wants to share securely with the client.
📝 Syntax
advanced
1:30remaining
What is the correct order of JWT parts?
A JWT token is made of three parts separated by dots. What is the correct order of these parts?
ASignature, Header, Payload
BHeader, Payload, Signature
CPayload, Header, Signature
DPayload, Signature, Header
Attempts:
2 left
💡 Hint
Remember the token looks like three base64 strings separated by dots.
🔧 Debug
advanced
2:00remaining
Why does this JWT signature verification fail?
Given a JWT token, the signature verification fails in Spring Boot. Which of these is the most likely cause?
AThe secret key used to sign the token is different from the one used to verify it
BThe payload contains user data instead of metadata
CThe header is missing the 'typ' field
DThe token has three parts separated by dots
Attempts:
2 left
💡 Hint
Think about what must match exactly to verify a signature.
🧠 Conceptual
expert
2:00remaining
What is the role of the JWT signature?
Why is the signature part important in a JWT token?
AIt ensures the token has not been altered and confirms the sender's identity
BIt stores the user's password securely
CIt contains the expiration date of the token
DIt holds the user's profile information
Attempts:
2 left
💡 Hint
Think about how the server trusts the token's data.

Practice

(1/5)
1. Which part of a JWT contains information about the algorithm used for signing the token?
easy
A. Payload
B. Header
C. Signature
D. Issuer

Solution

  1. Step 1: Understand JWT parts

    A JWT has three parts: header, payload, and signature.

  2. Step 2: Identify algorithm info location

    The header contains metadata including the signing algorithm used.

  3. Final Answer:

    Header -> Option B

  4. Quick Check:

    Algorithm info = Header [OK]
Hint: Algorithm info is always in the JWT header [OK]
Common Mistakes:
  • Confusing payload with header
  • Thinking signature contains algorithm info
  • Assuming issuer is a JWT part
2. Which of the following correctly represents the order of parts in a JWT string?
easy
A. Header.Payload.Signature
B. Signature.Payload.Header
C. Payload.Header.Signature
D. Header.Signature.Payload

Solution

  1. Step 1: Recall JWT format

    A JWT is a string with three parts separated by dots.

  2. Step 2: Confirm correct order

    The order is header first, then payload, then signature.

  3. Final Answer:

    Header.Payload.Signature -> Option A

  4. Quick Check:

    JWT order = Header.Payload.Signature [OK]
Hint: JWT parts order: header, payload, then signature [OK]
Common Mistakes:
  • Mixing up header and payload order
  • Placing signature in the middle
  • Assuming signature comes first
3. Given this JWT string: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiam9obiJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c, what does the middle part represent?
medium
A. Algorithm type
B. Encoded header
C. Signature hash
D. Encoded payload

Solution

  1. Step 1: Identify JWT parts by position

    The JWT has three parts separated by dots: header.payload.signature.

  2. Step 2: Locate the middle part

    The middle part is the payload, which contains user data encoded in Base64Url.

  3. Final Answer:

    Encoded payload -> Option D

  4. Quick Check:

    Middle JWT part = Payload [OK]
Hint: Middle JWT part is always the payload [OK]
Common Mistakes:
  • Confusing payload with header
  • Thinking signature is in the middle
  • Assuming algorithm is separate part
4. You receive a JWT but the signature part is missing. What issue will this cause?
medium
A. The token will expire immediately
B. The payload will be unreadable
C. The token cannot be verified for authenticity
D. The header will be invalid JSON

Solution

  1. Step 1: Understand the role of signature

    The signature proves the token is authentic and unchanged.

  2. Step 2: Consequence of missing signature

    Without the signature, the token cannot be verified and may be tampered with.

  3. Final Answer:

    The token cannot be verified for authenticity -> Option C

  4. Quick Check:

    Missing signature = No verification [OK]
Hint: Signature missing means no token verification possible [OK]
Common Mistakes:
  • Thinking payload becomes unreadable
  • Assuming header JSON breaks
  • Believing token expires immediately
5. In a Spring Boot application, you want to verify a JWT token. Which sequence correctly describes the verification steps?
hard
A. Decode header and payload, then verify signature using secret key
B. Verify signature first, then decode payload and header
C. Decode signature, then verify payload and header
D. Decode payload only, signature is not needed for verification

Solution

  1. Step 1: Decode header and payload

    First, decode the header and payload from Base64Url to read their contents.

  2. Step 2: Verify signature using secret key

    Use the secret key and header info to verify the signature matches the token data.

  3. Final Answer:

    Decode header and payload, then verify signature using secret key -> Option A

  4. Quick Check:

    Decode then verify signature = Correct process [OK]
Hint: Always decode first, then verify signature with secret [OK]
Common Mistakes:
  • Trying to verify signature before decoding
  • Ignoring signature verification
  • Decoding signature as if it contains data