Bird
Raised Fist0
Spring Bootframework~5 mins

JWT structure (header, payload, signature) in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What are the three main parts of a JWT?
A JWT has three parts: Header, Payload, and Signature. These parts are separated by dots (.) in the token string.
Click to reveal answer
beginner
What information does the JWT header contain?
The header usually contains the type of token (which is JWT) and the signing algorithm used, like HS256 or RS256.
Click to reveal answer
beginner
What is stored in the JWT payload?
The payload contains the claims, which are statements about an entity (usually the user) and additional data. Claims can be registered, public, or private.
Click to reveal answer
beginner
What is the purpose of the JWT signature?
The signature is used to verify that the token was not changed after it was issued. It is created by encoding the header and payload and signing them with a secret or private key.
Click to reveal answer
beginner
How are the parts of a JWT separated in the token string?
The three parts of a JWT (header, payload, signature) are separated by dots (.). For example: header.payload.signature
Click to reveal answer
Which part of a JWT contains the signing algorithm?
AHeader
BPayload
CSignature
DClaims
What does the payload of a JWT usually contain?
ASignature data
BClaims about the user or entity
CEncryption keys
DToken expiration time only
What is the main purpose of the JWT signature?
ATo verify token integrity
BTo encrypt the payload
CTo store user roles
DTo define token expiration
How are the parts of a JWT separated?
ABy commas
BBy spaces
CBy semicolons
DBy dots (.)
Which of these is NOT a part of a JWT?
AHeader
BSignature
CCertificate
DPayload
Explain the structure of a JWT and the role of each part.
Think of JWT as a sealed envelope with a label (header), letter inside (payload), and a seal (signature).
You got /3 concepts.
    Why is the signature important in a JWT?
    The signature is like a wax seal that proves the letter is original.
    You got /3 concepts.

      Practice

      (1/5)
      1. Which part of a JWT contains information about the algorithm used for signing the token?
      easy
      A. Payload
      B. Header
      C. Signature
      D. Issuer

      Solution

      1. Step 1: Understand JWT parts

        A JWT has three parts: header, payload, and signature.

      2. Step 2: Identify algorithm info location

        The header contains metadata including the signing algorithm used.

      3. Final Answer:

        Header -> Option B

      4. Quick Check:

        Algorithm info = Header [OK]
      Hint: Algorithm info is always in the JWT header [OK]
      Common Mistakes:
      • Confusing payload with header
      • Thinking signature contains algorithm info
      • Assuming issuer is a JWT part
      2. Which of the following correctly represents the order of parts in a JWT string?
      easy
      A. Header.Payload.Signature
      B. Signature.Payload.Header
      C. Payload.Header.Signature
      D. Header.Signature.Payload

      Solution

      1. Step 1: Recall JWT format

        A JWT is a string with three parts separated by dots.

      2. Step 2: Confirm correct order

        The order is header first, then payload, then signature.

      3. Final Answer:

        Header.Payload.Signature -> Option A

      4. Quick Check:

        JWT order = Header.Payload.Signature [OK]
      Hint: JWT parts order: header, payload, then signature [OK]
      Common Mistakes:
      • Mixing up header and payload order
      • Placing signature in the middle
      • Assuming signature comes first
      3. Given this JWT string: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiam9obiJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c, what does the middle part represent?
      medium
      A. Algorithm type
      B. Encoded header
      C. Signature hash
      D. Encoded payload

      Solution

      1. Step 1: Identify JWT parts by position

        The JWT has three parts separated by dots: header.payload.signature.

      2. Step 2: Locate the middle part

        The middle part is the payload, which contains user data encoded in Base64Url.

      3. Final Answer:

        Encoded payload -> Option D

      4. Quick Check:

        Middle JWT part = Payload [OK]
      Hint: Middle JWT part is always the payload [OK]
      Common Mistakes:
      • Confusing payload with header
      • Thinking signature is in the middle
      • Assuming algorithm is separate part
      4. You receive a JWT but the signature part is missing. What issue will this cause?
      medium
      A. The token will expire immediately
      B. The payload will be unreadable
      C. The token cannot be verified for authenticity
      D. The header will be invalid JSON

      Solution

      1. Step 1: Understand the role of signature

        The signature proves the token is authentic and unchanged.

      2. Step 2: Consequence of missing signature

        Without the signature, the token cannot be verified and may be tampered with.

      3. Final Answer:

        The token cannot be verified for authenticity -> Option C

      4. Quick Check:

        Missing signature = No verification [OK]
      Hint: Signature missing means no token verification possible [OK]
      Common Mistakes:
      • Thinking payload becomes unreadable
      • Assuming header JSON breaks
      • Believing token expires immediately
      5. In a Spring Boot application, you want to verify a JWT token. Which sequence correctly describes the verification steps?
      hard
      A. Decode header and payload, then verify signature using secret key
      B. Verify signature first, then decode payload and header
      C. Decode signature, then verify payload and header
      D. Decode payload only, signature is not needed for verification

      Solution

      1. Step 1: Decode header and payload

        First, decode the header and payload from Base64Url to read their contents.

      2. Step 2: Verify signature using secret key

        Use the secret key and header info to verify the signature matches the token data.

      3. Final Answer:

        Decode header and payload, then verify signature using secret key -> Option A

      4. Quick Check:

        Decode then verify signature = Correct process [OK]
      Hint: Always decode first, then verify signature with secret [OK]
      Common Mistakes:
      • Trying to verify signature before decoding
      • Ignoring signature verification
      • Decoding signature as if it contains data