Bird
Raised Fist0
Spring Bootframework~10 mins

JWT structure (header, payload, signature) in Spring Boot - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to create the JWT header with the correct algorithm.

Spring Boot
Map<String, Object> header = new HashMap<>();
header.put("alg", "[1]");
Drag options to blanks, or click blank then click option'
ASHA256
BRSA
CHS256
DMD5
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'SHA256' directly instead of 'HS256'.
Using 'MD5' which is insecure and not standard for JWT.
2fill in blank
medium

Complete the code to add the subject claim to the JWT payload.

Spring Boot
Map<String, Object> payload = new HashMap<>();
payload.put("sub", "[1]");
Drag options to blanks, or click blank then click option'
Ausername
Bsubject
CuserId
Dtoken
Attempts:
3 left
💡 Hint
Common Mistakes
Putting the literal word 'subject' instead of the username.
Using 'token' which is unrelated to the 'sub' claim.
3fill in blank
hard

Fix the error in signing the JWT token with the secret key.

Spring Boot
String token = Jwts.builder()
  .setHeader(header)
  .setClaims(payload)
  .signWith(Keys.hmacShaKeyFor("[1]".getBytes()))
  .compact();
Drag options to blanks, or click blank then click option'
Amysecret
Bkey
Csecret
Dmysecretkeymysecretkeymysecretkeymysecretkey
Attempts:
3 left
💡 Hint
Common Mistakes
Using too short secret keys causing runtime errors.
Using generic words like 'key' or 'secret' without enough length.
4fill in blank
hard

Fill both blanks to decode the JWT token and extract the payload claims.

Spring Boot
Claims claims = Jwts.parserBuilder()
  .setSigningKey(Keys.hmacShaKeyFor("[1]".getBytes()))
  .build()
  .[2](token)
  .getBody();
Drag options to blanks, or click blank then click option'
Amysecretkeymysecretkeymysecretkeymysecretkey
BparseClaimsJws
CparsePlaintextJwt
Dmysecret
Attempts:
3 left
💡 Hint
Common Mistakes
Using a short secret key that doesn't match the signing key.
Using parsePlaintextJwt which is for unsigned tokens.
5fill in blank
hard

Fill all three blanks to build a JWT token with header, payload, and signature.

Spring Boot
String jwt = Jwts.builder()
  .setHeaderParam("typ", "[1]")
  .setSubject("[2]")
  .signWith(Keys.hmacShaKeyFor("[3]".getBytes()))
  .compact();
Drag options to blanks, or click blank then click option'
AJWT
Buser123
Cmysecretkeymysecretkeymysecretkeymysecretkey
Dtoken
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'token' instead of 'JWT' for header type.
Using short or invalid secret keys.
Putting literal words instead of actual username.

Practice

(1/5)
1. Which part of a JWT contains information about the algorithm used for signing the token?
easy
A. Payload
B. Header
C. Signature
D. Issuer

Solution

  1. Step 1: Understand JWT parts

    A JWT has three parts: header, payload, and signature.

  2. Step 2: Identify algorithm info location

    The header contains metadata including the signing algorithm used.

  3. Final Answer:

    Header -> Option B

  4. Quick Check:

    Algorithm info = Header [OK]
Hint: Algorithm info is always in the JWT header [OK]
Common Mistakes:
  • Confusing payload with header
  • Thinking signature contains algorithm info
  • Assuming issuer is a JWT part
2. Which of the following correctly represents the order of parts in a JWT string?
easy
A. Header.Payload.Signature
B. Signature.Payload.Header
C. Payload.Header.Signature
D. Header.Signature.Payload

Solution

  1. Step 1: Recall JWT format

    A JWT is a string with three parts separated by dots.

  2. Step 2: Confirm correct order

    The order is header first, then payload, then signature.

  3. Final Answer:

    Header.Payload.Signature -> Option A

  4. Quick Check:

    JWT order = Header.Payload.Signature [OK]
Hint: JWT parts order: header, payload, then signature [OK]
Common Mistakes:
  • Mixing up header and payload order
  • Placing signature in the middle
  • Assuming signature comes first
3. Given this JWT string: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiam9obiJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c, what does the middle part represent?
medium
A. Algorithm type
B. Encoded header
C. Signature hash
D. Encoded payload

Solution

  1. Step 1: Identify JWT parts by position

    The JWT has three parts separated by dots: header.payload.signature.

  2. Step 2: Locate the middle part

    The middle part is the payload, which contains user data encoded in Base64Url.

  3. Final Answer:

    Encoded payload -> Option D

  4. Quick Check:

    Middle JWT part = Payload [OK]
Hint: Middle JWT part is always the payload [OK]
Common Mistakes:
  • Confusing payload with header
  • Thinking signature is in the middle
  • Assuming algorithm is separate part
4. You receive a JWT but the signature part is missing. What issue will this cause?
medium
A. The token will expire immediately
B. The payload will be unreadable
C. The token cannot be verified for authenticity
D. The header will be invalid JSON

Solution

  1. Step 1: Understand the role of signature

    The signature proves the token is authentic and unchanged.

  2. Step 2: Consequence of missing signature

    Without the signature, the token cannot be verified and may be tampered with.

  3. Final Answer:

    The token cannot be verified for authenticity -> Option C

  4. Quick Check:

    Missing signature = No verification [OK]
Hint: Signature missing means no token verification possible [OK]
Common Mistakes:
  • Thinking payload becomes unreadable
  • Assuming header JSON breaks
  • Believing token expires immediately
5. In a Spring Boot application, you want to verify a JWT token. Which sequence correctly describes the verification steps?
hard
A. Decode header and payload, then verify signature using secret key
B. Verify signature first, then decode payload and header
C. Decode signature, then verify payload and header
D. Decode payload only, signature is not needed for verification

Solution

  1. Step 1: Decode header and payload

    First, decode the header and payload from Base64Url to read their contents.

  2. Step 2: Verify signature using secret key

    Use the secret key and header info to verify the signature matches the token data.

  3. Final Answer:

    Decode header and payload, then verify signature using secret key -> Option A

  4. Quick Check:

    Decode then verify signature = Correct process [OK]
Hint: Always decode first, then verify signature with secret [OK]
Common Mistakes:
  • Trying to verify signature before decoding
  • Ignoring signature verification
  • Decoding signature as if it contains data