• +91-93-183-454-97
  • info@websolutiontechnology.com
Live
How Do You Generate And Validate A JWT

How Do You Generate And Validate A JWT

06 Jul, 2026 2 min read  views

How Do You Generate and Validate a JWT?

Modern APIs no longer rely solely on traditional username and password authentication. Instead, most REST APIs use JWT (JSON Web Token) to provide secure, stateless authentication and authorization. Whether you're testing microservices, cloud-native applications, or enterprise-grade APIs, knowing how to generate, validate, and use JWTs in RestAssured is a fundamental skill for every API automation tester. It enables you to authenticate requests, verify secure endpoints, and build reliable automated API test suites with confidence.

In this blog, you'll learn how JWTs are generated, how they are validated, and the best practices for implementing JWT-based authentication securely.

JWT Structure

A JWT consists of three parts separated by dots (.):

Header.Payload.Signature

Example JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwicm9sZSI6IkFkbWluIiwiZXhwIjoxNzYwMDAwMDAwfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

The header contains metadata about the token, including the signing algorithm and token type.

{
  "alg": "HS256",
  "typ": "JWT"
}
  • alg – Signing algorithm (e.g., HS256, RS256)
  • typ – Token type (JWT)

2. Payload

The payload contains claims, which are pieces of information about the user or token.

{
  "sub": "1234567890",
  "name": "John Doe",
  "email": "john@example.com",
  "role": "Admin",
  "iat": 1751712000,
  "exp": 1751715600
}

Common claims include:

  • sub – Subject (User ID)
  • name – User name
  • email – User email
  • role – User role
  • iat – Issued at time
  • exp – Expiration time

3. Signature

The signature verifies that the token has not been altered.

For the HS256 algorithm, the signature is generated using:

HMACSHA256(
  Base64UrlEncode(Header) + "." +
  Base64UrlEncode(Payload),
  SecretKey
)

The server uses the same secret key (or a public key for asymmetric algorithms like RS256) to validate the signature.

How to Generate a JWT

How to Generate a JWT

The general process is:

Step 1: Authenticate the User

Verify the user's credentials from the database.

Step 2: Create the Payload

Include essential claims such as:

  • User ID
  • Email
  • Role
  • Issued At (iat)
  • Expiration Time (exp)

Step 3: Sign the Token

Use a secure secret key (or RSA private key) with algorithms like:

  • HS256
  • HS384
  • HS512
  • RS256

Step 4: Return the Token

Send the generated JWT to the client after successful login.

Example response:

{
"access_token":"eyJhbGc...",
"expires_in":3600
}

How to Validate a JWT

 

How to Validate a JWT

Whenever a client sends a request, the server validates the JWT.

Validation includes:

1. Verify Signature

Ensure the token hasn't been modified.

2. Check Expiration

Reject expired tokens.

3. Verify Issuer

Validate the iss claim.

4. Verify Audience

Ensure the token is intended for your application.

5. Validate Custom Claims

Verify user roles, permissions, tenant IDs, or other business-specific claims.

If every validation succeeds, the request is authenticated.


JWT Authentication Flow

  1. User logs in.
  2. Server verifies credentials.
  3. Server generates a JWT.
  4. Client stores the token securely.
  5. Client sends the token in the Authorization header.
  6. Server validates the token.
  7. Server returns the requested resource.

Best Practices for JWT Security

  • Always use HTTPS.
  • Keep token expiration short.
  • Store refresh tokens securely.
  • Never expose your secret key.
  • Use strong signing algorithms such as HS256 or RS256.
  • Validate every incoming token.
  • Include only necessary information in the payload.
  • Rotate signing keys periodically.
  • Implement token revocation when required.

Common JWT Errors

  • Invalid signature
  • Expired token
  • Incorrect issuer
  • Invalid audience
  • Malformed token
  • Missing Authorization header

Proper error handling helps improve both security and user experience.


Advantages of JWT

  • Stateless authentication
  • Scalable for distributed systems
  • Compact and URL-safe
  • Easy integration with APIs
  • Supports cross-platform applications
  • Reduces server-side session storage

 

Conclusion

JWT is one of the most widely adopted methods for secure authentication in modern applications. By properly generating, signing, and validating tokens, developers can build scalable and secure authentication systems for web, mobile, and API-based applications. Following security best practices—such as using HTTPS, setting token expiration, protecting signing keys, and validating claims—ensures your JWT implementation remains reliable and resistant to common attacks.
How Do You Generate And Validate A JWT How To Software Developers Artificial Intelligence: Transforming the Future of Business and Technology