Every authenticated interaction with Spring Community is backed by a JSON Web Token signed with an HMAC-SHA algorithm. The platform issues two distinct token types on every login or registration event: an ACCESS token for short-lived API authorization and a REFRESH token for obtaining a new pair without re-entering credentials. Both token strings are persisted in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CristianRR94/springCommunity/llms.txt
Use this file to discover all available pages before exploring further.
tokens database table, enabling the server to revoke individual tokens — or all tokens belonging to a user — at any time, regardless of their cryptographic expiry.
Token Types
ACCESS
Used to authorize requests to protected REST endpoints. Sent in the
Authorization: Bearer header on every call.- Default expiry:
3600000 ms(1 hour) - Environment variable:
JWT_EXPIRATION TipoTokenvalue:"ACCESS"
REFRESH
Used exclusively with
POST /auth/refresh to obtain a new token pair. Must never be sent to regular API endpoints.- Default expiry:
604800000 ms(7 days) - Environment variable:
JWT_REFRESH_EXPIRATION TipoTokenvalue:"REFRESH"
application.properties:
JWT Claims
The following claims are embedded in every token byJwtProviderServiceImpl.buildToken(). Custom claim names come directly from the ClaimJwt enum string values.
| Claim key | ClaimJwt constant | Description | Example value |
|---|---|---|---|
sub | — | Subject — the user’s display name (usuario.getNombre()) | "alice" |
usuarioId | USUARIO_ID | The user’s numeric primary-key from the database | 42 |
nombre | NOMBRE | User’s display name (mirrors sub) | "alice" |
tipo_uso | TIPO_USO | Token type string — either "ACCESS" or "REFRESH" | "ACCESS" |
roles | ROLES | List of Spring GrantedAuthority strings for the user | ["ROLE_USUARIO"] |
jti | — | Random UUID assigned per token via .id(UUID.randomUUID()...) | "d4e8f1a2-…" |
iat | — | Issued-at timestamp (Unix epoch seconds) | 1731660000 |
exp | — | Expiration timestamp (Unix epoch seconds) | 1731663600 |
Token Signing
Tokens are signed using HMAC-SHA via the JJWT library. The signing key is derived from a base64-encoded secret loaded from theJWT_SECRET environment variable:
Keys.hmacShaKeyFor() automatically selects the strongest HMAC-SHA variant (HS256, HS384, or HS512) that is appropriate for the key length. At verification time the same key is used by Jwts.parser().verifyWith(getSigninKey()).
Token Validation
Incoming HTTP requests pass throughJwtAuthFilter, a OncePerRequestFilter that runs before Spring Security’s UsernamePasswordAuthenticationFilter. The filter performs the following checks in order:
Skip auth routes
Requests whose path contains
/auth bypass the filter entirely — those endpoints are public.Extract the Bearer token
The
Authorization header is read. If it is absent or does not start with "Bearer ", the request continues unauthenticated (Spring Security will reject it if the route is protected).Extract the username
jwtProviderService.extractUsername(jwtToken) parses the sub claim. A null result or an already-authenticated context short-circuits the filter.Check the database record
tokenRepository.findByToken(jwtToken) is called. If the token is not found, or its isExpired or isRevoked flags are true, or its tipoUso is not TipoToken.ACCESS, the request continues without authentication.Validate signature and expiry
jwtProviderService.isTokenValid(jwtToken, userDetails) confirms the username matches and the cryptographic expiry has not passed.Refreshing a Token
When your ACCESS token expires, POST the current REFRESH token to/auth/refresh. The endpoint validates that the token is of type REFRESH, that it has not been revoked, and that its signature is valid. If all checks pass, all existing tokens for the user are revoked and a brand-new token pair is returned.
TokenResponse:
Token Revocation
Token revocation is handled byTokenManagementServiceImpl.revokeAllUserTokens(). It fetches every non-expired, non-revoked token belonging to the user and sets both expired = true and revoked = true, then flushes all changes in a single saveAll() call.
Revocation is triggered in two situations:
- Refresh — old tokens are revoked before the new pair is saved.
- Logout — the
POST /auth/logouthandler reads theAuthorizationheader and callsrevokeAllTokensByToken(token), which resolves the owning user from the token record and then callsrevokeAllUserTokens().
SecurityContext is cleared by Spring’s logoutSuccessHandler and all subsequent requests with the old tokens will be rejected by JwtAuthFilter at the database-check step, even if the JWT signature itself is still cryptographically valid.
The Token entity fields involved in revocation: