Spring Boot 4 Complete Guide · Lesson

Resource Server JWT Validation and Claims

Validate JWT access tokens, verify issuers and audiences, and extract authorities from claims.

The Resource Server Role

In OAuth2, a resource server is the API that holds protected data. It does not log users in or issue tokens. Its only job at request time is to validate the access token that an authorization server already issued, then authorize the call.

Tokens are usually JWTs (JSON Web Tokens) signed by the authorization server.
Validation is stateless: the resource server verifies the signature and claims without calling a database.
Spring Security ships a dedicated oauth2ResourceServer DSL for exactly this.

In this lesson you will validate JWTs, verify the iss and aud claims, and turn claims into Spring authorities.

Anatomy of a JWT

A JWT has three Base64URL parts separated by dots: header.payload.signature. The payload carries claims the resource server inspects:

iss — issuer, the URL of the authorization server.
sub — subject, the user or client id.
aud — audience, who the token is meant for.
exp / nbf / iat — expiry, not-before, issued-at timestamps.
scope or scp — granted OAuth2 scopes.

The example below shows how a decoded payload looks as plain JSON. Validating means: signature is genuine AND these claims are acceptable.

// A decoded JWT payload (claims) as JSON
{
  "iss": "https://issuer.example.com",
  "sub": "user-1234",
  "aud": ["orders-api"],
  "scope": "orders.read orders.write",
  "roles": ["ADMIN", "USER"],
  "iat": 1735689600,
  "nbf": 1735689600,
  "exp": 1735693200
}

All lessons in this course

Resource Server JWT Validation and Claims
OAuth2 Client and Authorization Code Flow
Method Security with SpEL and Custom Voters
Opaque Token Introspection and Token Exchange

← Back to Spring Boot 4 Complete Guide