CareerRaah: The Ultimate Interview Preparation Platform

Q30: What is JWT (JSON Web Token)? Structural Mechanics Explained.

🎫Core Concept

What is JWT (JSON Web Token)? Structural Mechanics Explained.

Key Takeaways & Architecture Summary

✓Stateless token format consisting of three parts: Header, Payload, Signature.
✓Header: Specifies hashing algorithm; Payload: Contains claims (scopes, user IDs).
✓Signature: Cryptographically signs the token, preventing client mutations.

Direct Answer Summary

A JSON Web Token (JWT) is an open standard that defines a compact, self-contained, stateless format for transmitting securely signed claims between parties. A JWT consists of a Header (containing algorithm info), a Payload (containing dynamic claims like user ID, roles, and expiration), and a Signature verified using a shared secret or public/private key pair.

⚠️ Senior Engineering Warning (Red Flag)

Never store highly sensitive passwords or credit card data inside a JWT payload. The Header and Payload are Base64Url-encoded, not encrypted. Anyone can decode and inspect the payload.

💡 STAR Architectural Explanation & Pro Tip

Because JWTs are self-contained and signed, resource servers can authenticate requests statelessly by validating the signature locally without making costly database calls to verify session status.

RestAssuredTest.java

Rest-Assured + Java

// Postman Assertion: Decode and verify JWT expiration claim
const token = pm.response.json().access_token;
const payloadBase64 = token.split('.')[1]; // Extract Middle Payload segment
const payload = JSON.parse(atob(payloadBase64));

pm.test("Confirm JWT is not expired", function () {
    const currentUnixTime = Math.floor(Date.now() / 1000);
    pm.expect(payload.exp).to.be.greaterThan(currentUnixTime);
});