How Do You Generate And Validate A JWT
How Do You Generate and Validate a JWT?
Modern APIs no longer rely solely on traditional username and password authentication. Instead, most REST APIs use JWT (JSON Web Token) to provide secure, stateless authentication and authorization. Whether you're testing microservices, cloud-native applications, or enterprise-grade APIs, knowing how to generate, validate, and use JWTs in RestAssured is a fundamental skill for every API automation tester. It enables you to authenticate requests, verify secure endpoints, and build reliable automated API test suites with confidence.
In this blog, you'll learn how JWTs are generated, how they are validated, and the best practices for implementing JWT-based authentication securely.
JWT Structure
A JWT consists of three parts separated by dots (.):
Header.Payload.SignatureExample JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwicm9sZSI6IkFkbWluIiwiZXhwIjoxNzYwMDAwMDAwfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c1. Header
The header contains metadata about the token, including the signing algorithm and token type.
{
"alg": "HS256",
"typ": "JWT"
}- alg – Signing algorithm (e.g., HS256, RS256)
- typ – Token type (JWT)
2. Payload
The payload contains claims, which are pieces of information about the user or token.
{
"sub": "1234567890",
"name": "John Doe",
"email": "john@example.com",
"role": "Admin",
"iat": 1751712000,
"exp": 1751715600
}Common claims include:
sub– Subject (User ID)name– User nameemail– User emailrole– User roleiat– Issued at timeexp– Expiration time
3. Signature
The signature verifies that the token has not been altered.
For the HS256 algorithm, the signature is generated using:
HMACSHA256(
Base64UrlEncode(Header) + "." +
Base64UrlEncode(Payload),
SecretKey
)The server uses the same secret key (or a public key for asymmetric algorithms like RS256) to validate the signature.
How to Generate a JWT
How to Generate a JWT
The general process is:
Step 1: Authenticate the User
Verify the user's credentials from the database.
Step 2: Create the Payload
Include essential claims such as:
- User ID
- Role
- Issued At (iat)
- Expiration Time (exp)
Step 3: Sign the Token
Use a secure secret key (or RSA private key) with algorithms like:
- HS256
- HS384
- HS512
- RS256
Step 4: Return the Token
Send the generated JWT to the client after successful login.
Example response:
{
"access_token":"eyJhbGc...",
"expires_in":3600
}
How to Validate a JWT
How to Validate a JWT
Whenever a client sends a request, the server validates the JWT.
Validation includes:
1. Verify Signature
Ensure the token hasn't been modified.
2. Check Expiration
Reject expired tokens.
3. Verify Issuer
Validate the iss claim.
4. Verify Audience
Ensure the token is intended for your application.
5. Validate Custom Claims
Verify user roles, permissions, tenant IDs, or other business-specific claims.
If every validation succeeds, the request is authenticated.
JWT Authentication Flow
- User logs in.
- Server verifies credentials.
- Server generates a JWT.
- Client stores the token securely.
- Client sends the token in the Authorization header.
- Server validates the token.
- Server returns the requested resource.
Best Practices for JWT Security
- Always use HTTPS.
- Keep token expiration short.
- Store refresh tokens securely.
- Never expose your secret key.
- Use strong signing algorithms such as HS256 or RS256.
- Validate every incoming token.
- Include only necessary information in the payload.
- Rotate signing keys periodically.
- Implement token revocation when required.
Common JWT Errors
- Invalid signature
- Expired token
- Incorrect issuer
- Invalid audience
- Malformed token
- Missing Authorization header
Proper error handling helps improve both security and user experience.
Advantages of JWT
- Stateless authentication
- Scalable for distributed systems
- Compact and URL-safe
- Easy integration with APIs
- Supports cross-platform applications
- Reduces server-side session storage