0
0
Spring Bootframework~10 mins

JWT structure (header, payload, signature) in Spring Boot - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - JWT structure (header, payload, signature)
Create Header JSON
Base64Url Encode Header
Create Payload JSON
Base64Url Encode Payload
Combine Encoded Header + '.' + Encoded Payload
Sign Combined String with Secret Key
Base64Url Encode Signature
Final JWT: Header.Payload.Signature
This flow shows how a JWT is built step-by-step: header and payload are created and encoded, then signed to produce the signature, and all parts are combined.
Execution Sample
Spring Boot
String header = base64UrlEncode("{\"alg\":\"HS256\",\"typ\":\"JWT\"}");
String payload = base64UrlEncode("{\"sub\":\"1234567890\",\"name\":\"John Doe\"}");
String signature = base64UrlEncode(hmacSha256(header + "." + payload, secret));
String jwt = header + "." + payload + "." + signature;
This code creates a JWT by encoding header and payload, signing them, and joining all parts with dots.
Execution Table
StepActionInputOutput
1Create Header JSON{"alg":"HS256","typ":"JWT"}{"alg":"HS256","typ":"JWT"}
2Base64Url Encode Header{"alg":"HS256","typ":"JWT"}eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
3Create Payload JSON{"sub":"1234567890","name":"John Doe"}{"sub":"1234567890","name":"John Doe"}
4Base64Url Encode Payload{"sub":"1234567890","name":"John Doe"}eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0
5Combine Header and PayloadeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0
6Sign Combined StringeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0 + secrethmacSha256 signature bytes
7Base64Url Encode SignaturehmacSha256 signature bytesSflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
8Combine All Partsheader.payload.signatureeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
💡 All parts combined to form the final JWT string.
Variable Tracker
VariableStartAfter Step 2After Step 4After Step 7Final
header{"alg":"HS256","typ":"JWT"}eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
payload{"sub":"1234567890","name":"John Doe"}{"sub":"1234567890","name":"John Doe"}eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0
signaturenullnullnullSflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cSflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
jwtnullnullnullnulleyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Key Moments - 3 Insights
Why do we encode the header and payload before signing?
Encoding converts JSON objects into a compact string format safe for URLs and ensures the signature is calculated on a consistent string, as shown in steps 2 and 4 of the execution_table.
What is the role of the signature in the JWT?
The signature proves the token was created by someone with the secret key and that header and payload were not changed, as seen in steps 6 and 7 where the combined string is signed and encoded.
Why are the three parts joined with dots?
The dots separate the encoded header, payload, and signature clearly so systems can split and verify each part, demonstrated in step 8 of the execution_table.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 4. What is the output of base64Url encoding the payload?
ASflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
BeyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0
CeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
DeyJzdWIiOiIxMjM0NTY3ODkwIn0
💡 Hint
Check the 'Output' column for step 4 in the execution_table.
At which step does the signature get created in the execution_table?
AStep 6
BStep 2
CStep 8
DStep 4
💡 Hint
Look for the step labeled 'Sign Combined String' in the execution_table.
If the secret key changes, which part of the variable_tracker will change?
Aheader
Bpayload
Csignature
Djwt
💡 Hint
Refer to the 'signature' variable in variable_tracker which depends on the secret key.
Concept Snapshot
JWT has three parts separated by dots:
1. Header: JSON with algorithm and type, base64Url encoded
2. Payload: JSON with claims, base64Url encoded
3. Signature: HMAC SHA256 of header.payload with secret, base64Url encoded
Together they form: header.payload.signature
Full Transcript
A JWT (JSON Web Token) is made of three parts: header, payload, and signature. First, the header JSON is created with algorithm and type info, then encoded using base64Url. Next, the payload JSON with user data or claims is created and encoded the same way. These two encoded parts are joined with a dot. Then, this combined string is signed using a secret key and HMAC SHA256 algorithm. The signature bytes are base64Url encoded. Finally, the JWT string is formed by joining header, payload, and signature with dots. This structure allows secure transmission of claims that can be verified by the signature.