Bird
Raised Fist0
Spring Bootframework~10 mins

JWT structure (header, payload, signature) in Spring Boot - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - JWT structure (header, payload, signature)
Create Header JSON
Base64Url Encode Header
Create Payload JSON
Base64Url Encode Payload
Combine Encoded Header + '.' + Encoded Payload
Sign Combined String with Secret Key
Base64Url Encode Signature
Final JWT: Header.Payload.Signature
This flow shows how a JWT is built step-by-step: header and payload are created and encoded, then signed to produce the signature, and all parts are combined.
Execution Sample
Spring Boot
String header = base64UrlEncode("{\"alg\":\"HS256\",\"typ\":\"JWT\"}");
String payload = base64UrlEncode("{\"sub\":\"1234567890\",\"name\":\"John Doe\"}");
String signature = base64UrlEncode(hmacSha256(header + "." + payload, secret));
String jwt = header + "." + payload + "." + signature;
This code creates a JWT by encoding header and payload, signing them, and joining all parts with dots.
Execution Table
StepActionInputOutput
1Create Header JSON{"alg":"HS256","typ":"JWT"}{"alg":"HS256","typ":"JWT"}
2Base64Url Encode Header{"alg":"HS256","typ":"JWT"}eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
3Create Payload JSON{"sub":"1234567890","name":"John Doe"}{"sub":"1234567890","name":"John Doe"}
4Base64Url Encode Payload{"sub":"1234567890","name":"John Doe"}eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0
5Combine Header and PayloadeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0
6Sign Combined StringeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0 + secrethmacSha256 signature bytes
7Base64Url Encode SignaturehmacSha256 signature bytesSflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
8Combine All Partsheader.payload.signatureeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
💡 All parts combined to form the final JWT string.
Variable Tracker
VariableStartAfter Step 2After Step 4After Step 7Final
header{"alg":"HS256","typ":"JWT"}eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
payload{"sub":"1234567890","name":"John Doe"}{"sub":"1234567890","name":"John Doe"}eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0
signaturenullnullnullSflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cSflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
jwtnullnullnullnulleyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Key Moments - 3 Insights
Why do we encode the header and payload before signing?
Encoding converts JSON objects into a compact string format safe for URLs and ensures the signature is calculated on a consistent string, as shown in steps 2 and 4 of the execution_table.
What is the role of the signature in the JWT?
The signature proves the token was created by someone with the secret key and that header and payload were not changed, as seen in steps 6 and 7 where the combined string is signed and encoded.
Why are the three parts joined with dots?
The dots separate the encoded header, payload, and signature clearly so systems can split and verify each part, demonstrated in step 8 of the execution_table.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 4. What is the output of base64Url encoding the payload?
ASflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
BeyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0
CeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
DeyJzdWIiOiIxMjM0NTY3ODkwIn0
💡 Hint
Check the 'Output' column for step 4 in the execution_table.
At which step does the signature get created in the execution_table?
AStep 6
BStep 2
CStep 8
DStep 4
💡 Hint
Look for the step labeled 'Sign Combined String' in the execution_table.
If the secret key changes, which part of the variable_tracker will change?
Aheader
Bpayload
Csignature
Djwt
💡 Hint
Refer to the 'signature' variable in variable_tracker which depends on the secret key.
Concept Snapshot
JWT has three parts separated by dots:
1. Header: JSON with algorithm and type, base64Url encoded
2. Payload: JSON with claims, base64Url encoded
3. Signature: HMAC SHA256 of header.payload with secret, base64Url encoded
Together they form: header.payload.signature
Full Transcript
A JWT (JSON Web Token) is made of three parts: header, payload, and signature. First, the header JSON is created with algorithm and type info, then encoded using base64Url. Next, the payload JSON with user data or claims is created and encoded the same way. These two encoded parts are joined with a dot. Then, this combined string is signed using a secret key and HMAC SHA256 algorithm. The signature bytes are base64Url encoded. Finally, the JWT string is formed by joining header, payload, and signature with dots. This structure allows secure transmission of claims that can be verified by the signature.

Practice

(1/5)
1. Which part of a JWT contains information about the algorithm used for signing the token?
easy
A. Payload
B. Header
C. Signature
D. Issuer

Solution

  1. Step 1: Understand JWT parts

    A JWT has three parts: header, payload, and signature.

  2. Step 2: Identify algorithm info location

    The header contains metadata including the signing algorithm used.

  3. Final Answer:

    Header -> Option B

  4. Quick Check:

    Algorithm info = Header [OK]
Hint: Algorithm info is always in the JWT header [OK]
Common Mistakes:
  • Confusing payload with header
  • Thinking signature contains algorithm info
  • Assuming issuer is a JWT part
2. Which of the following correctly represents the order of parts in a JWT string?
easy
A. Header.Payload.Signature
B. Signature.Payload.Header
C. Payload.Header.Signature
D. Header.Signature.Payload

Solution

  1. Step 1: Recall JWT format

    A JWT is a string with three parts separated by dots.

  2. Step 2: Confirm correct order

    The order is header first, then payload, then signature.

  3. Final Answer:

    Header.Payload.Signature -> Option A

  4. Quick Check:

    JWT order = Header.Payload.Signature [OK]
Hint: JWT parts order: header, payload, then signature [OK]
Common Mistakes:
  • Mixing up header and payload order
  • Placing signature in the middle
  • Assuming signature comes first
3. Given this JWT string: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiam9obiJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c, what does the middle part represent?
medium
A. Algorithm type
B. Encoded header
C. Signature hash
D. Encoded payload

Solution

  1. Step 1: Identify JWT parts by position

    The JWT has three parts separated by dots: header.payload.signature.

  2. Step 2: Locate the middle part

    The middle part is the payload, which contains user data encoded in Base64Url.

  3. Final Answer:

    Encoded payload -> Option D

  4. Quick Check:

    Middle JWT part = Payload [OK]
Hint: Middle JWT part is always the payload [OK]
Common Mistakes:
  • Confusing payload with header
  • Thinking signature is in the middle
  • Assuming algorithm is separate part
4. You receive a JWT but the signature part is missing. What issue will this cause?
medium
A. The token will expire immediately
B. The payload will be unreadable
C. The token cannot be verified for authenticity
D. The header will be invalid JSON

Solution

  1. Step 1: Understand the role of signature

    The signature proves the token is authentic and unchanged.

  2. Step 2: Consequence of missing signature

    Without the signature, the token cannot be verified and may be tampered with.

  3. Final Answer:

    The token cannot be verified for authenticity -> Option C

  4. Quick Check:

    Missing signature = No verification [OK]
Hint: Signature missing means no token verification possible [OK]
Common Mistakes:
  • Thinking payload becomes unreadable
  • Assuming header JSON breaks
  • Believing token expires immediately
5. In a Spring Boot application, you want to verify a JWT token. Which sequence correctly describes the verification steps?
hard
A. Decode header and payload, then verify signature using secret key
B. Verify signature first, then decode payload and header
C. Decode signature, then verify payload and header
D. Decode payload only, signature is not needed for verification

Solution

  1. Step 1: Decode header and payload

    First, decode the header and payload from Base64Url to read their contents.

  2. Step 2: Verify signature using secret key

    Use the secret key and header info to verify the signature matches the token data.

  3. Final Answer:

    Decode header and payload, then verify signature using secret key -> Option A

  4. Quick Check:

    Decode then verify signature = Correct process [OK]
Hint: Always decode first, then verify signature with secret [OK]
Common Mistakes:
  • Trying to verify signature before decoding
  • Ignoring signature verification
  • Decoding signature as if it contains data