Bird
Raised Fist0
Spring Bootframework~5 mins

Why JWT matters for APIs in Spring Boot

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

JWT helps keep API communication safe and lets servers know who is talking without asking for passwords every time.

When you want users to log in once and access many parts of your app without logging in again.
When your API needs to check if a request is from a trusted user quickly.
When you want to share user info securely between different parts of your system.
When you want to avoid storing session info on the server to keep things simple.
When building mobile or single-page apps that talk to your backend API.
Syntax
Spring Boot
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VySWQiLCJleHAiOjE2MzAwMDAwMDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

A JWT has three parts separated by dots: header, payload, and signature.

The payload holds user info and expiration time.

Examples
This is how you send a JWT in an API request header.
Spring Boot
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
This is how you create a JWT token using JJWT (common in Spring Boot).
Spring Boot
String token = Jwts.builder()
  .setSubject("userId")
  .setExpiration(new Date(System.currentTimeMillis() + 86400000))
  .signWith(SignatureAlgorithm.HS256, secretKey.getBytes())
  .compact();
Sample Program

This simple Java example using JJWT (common in Spring Boot) creates a JWT token for user "user123" that expires in 1 hour and prints it.

Spring Boot
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.util.Date;

public class JwtExample {
    private static final String secretKey = "mySecretKey";

    public static String createToken(String userId) {
        return Jwts.builder()
            .setSubject(userId)
            .setExpiration(new Date(System.currentTimeMillis() + 3600000)) // 1 hour
            .signWith(SignatureAlgorithm.HS256, secretKey.getBytes())
            .compact();
    }

    public static void main(String[] args) {
        String token = createToken("user123");
        System.out.println("Generated JWT Token:");
        System.out.println(token);
    }
}
OutputSuccess
Important Notes

Keep your secret key safe; if someone else gets it, they can create fake tokens.

Tokens expire to keep your app secure and force users to re-authenticate.

JWTs let your API trust requests without storing session info on the server.

Summary

JWTs help APIs know who is making requests safely and quickly.

They let users log in once and keep using the app without repeated logins.

JWTs keep your API stateless and secure by carrying user info inside the token.

Practice

(1/5)
1. Why is JWT important for APIs in Spring Boot?
easy
A. It replaces the need for HTTPS in API communication.
B. It stores user passwords in the token for quick access.
C. It securely identifies users without storing session data on the server.
D. It automatically encrypts all API responses.

Solution

  1. Step 1: Understand JWT's role in user identification

    JWT carries user identity information inside the token, so the server does not need to keep session data.

  2. Step 2: Recognize security benefits

    This stateless approach improves security and scalability by avoiding server-side session storage.

  3. Final Answer:

    It securely identifies users without storing session data on the server. -> Option C

  4. Quick Check:

    JWT = stateless secure user ID [OK]
Hint: JWT carries user info, no server session needed [OK]
Common Mistakes:
  • Thinking JWT stores passwords inside the token
  • Believing JWT replaces HTTPS
  • Assuming JWT encrypts API responses automatically
2. Which of the following is the correct way to include a JWT in an HTTP request header?
easy
A. Auth-Token: <token>
B. Authorization: Bearer <token>
C. Token: JWT <token>
D. JWT-Authorization: Bearer <token>

Solution

  1. Step 1: Recall standard JWT header format

    The standard way to send JWTs is in the Authorization header with the Bearer scheme.

  2. Step 2: Match the correct syntax

    "Authorization: Bearer <token>" is the correct and widely accepted format.

  3. Final Answer:

    Authorization: Bearer <token> -> Option B

  4. Quick Check:

    JWT header = Authorization: Bearer [OK]
Hint: JWT goes in Authorization header with Bearer prefix [OK]
Common Mistakes:
  • Using non-standard header names like Token or Auth-Token
  • Omitting the Bearer prefix
  • Adding extra words like JWT-Authorization
3. Given this Spring Boot controller method snippet, what will happen if the JWT is missing or invalid?
@GetMapping("/profile")
public ResponseEntity<String> getProfile(@RequestHeader("Authorization") String authHeader) {
    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
        return ResponseEntity.status(401).body("Unauthorized");
    }
    String token = authHeader.substring(7);
    // Assume validateToken returns false if token invalid
    if (!jwtService.validateToken(token)) {
        return ResponseEntity.status(401).body("Unauthorized");
    }
    return ResponseEntity.ok("User profile data");
}
medium
A. Returns 500 Internal Server Error on invalid JWT.
B. Returns 200 OK with user profile regardless of JWT.
C. Throws a NullPointerException if JWT is missing.
D. Returns 401 Unauthorized if JWT is missing or invalid.

Solution

  1. Step 1: Check handling of missing or malformed Authorization header

    The code returns 401 Unauthorized if the header is missing or does not start with "Bearer ".

  2. Step 2: Check token validation logic

    If the token is invalid, the method also returns 401 Unauthorized.

  3. Final Answer:

    Returns 401 Unauthorized if JWT is missing or invalid. -> Option D

  4. Quick Check:

    Missing/invalid JWT = 401 Unauthorized [OK]
Hint: Missing or bad JWT triggers 401 Unauthorized [OK]
Common Mistakes:
  • Assuming it returns 200 OK without JWT
  • Expecting exceptions instead of 401 response
  • Thinking it returns 500 error on invalid token
4. Identify the bug in this Spring Boot JWT filter snippet:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    String authHeader = req.getHeader("Authorization");
    if (authHeader != null && authHeader.startsWith("Bearer ")) {
        String token = authHeader.substring(7);
        if (jwtService.validateToken(token)) {
            SecurityContextHolder.getContext().setAuthentication(null);
        }
    }
    chain.doFilter(request, response);
}
medium
A. It sets authentication to null instead of a valid Authentication object.
B. It does not check if authHeader is null before substring.
C. It calls chain.doFilter before validating the token.
D. It uses the wrong header name for JWT.

Solution

  1. Step 1: Analyze authentication setting logic

    The code sets authentication to null even when the token is valid, which means no user is authenticated.

  2. Step 2: Understand correct behavior

    It should set a valid Authentication object to represent the logged-in user, not null.

  3. Final Answer:

    It sets authentication to null instead of a valid Authentication object. -> Option A

  4. Quick Check:

    Valid token must set Authentication, not null [OK]
Hint: Valid token must set Authentication object, not null [OK]
Common Mistakes:
  • Ignoring that authentication is set to null
  • Thinking substring without null check causes error here
  • Assuming chain.doFilter order is wrong
  • Believing header name is incorrect
5. You want your Spring Boot API to allow users to stay logged in without server sessions, using JWT. Which approach best achieves this while keeping the API stateless and secure?
hard
A. Generate a JWT after login containing user info, send it to client, and require it in Authorization header for each request.
B. Store user sessions in a database and send session IDs in cookies to clients.
C. Send user credentials with every API request and validate each time on the server.
D. Use JWT only for login, then switch to server sessions for other requests.

Solution

  1. Step 1: Understand stateless authentication with JWT

    JWT tokens carry user info and are sent by clients with each request, so the server does not store session data.

  2. Step 2: Compare with other methods

    Storing sessions or sending credentials every time breaks statelessness or security best practices.

  3. Final Answer:

    Generate a JWT after login containing user info, send it to client, and require it in Authorization header for each request. -> Option A

  4. Quick Check:

    JWT = stateless secure token per request [OK]
Hint: JWT tokens keep API stateless and secure per request [OK]
Common Mistakes:
  • Using server sessions instead of JWT for statelessness
  • Sending credentials on every request
  • Switching between JWT and sessions inconsistently