I need to use JWT in mi API, and the IDE tells me that the .signWith() method is deprecated. So far I use the @Deprecated annotation, but I think this is not so good practice.

This is my example code:

@Deprecated
public String generateToken(UserDetails userDetails) {
    return Jwts.builder().setSubject(userDetails.getUsername()).setIssuedAt(new Date())
            .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10))
            .signWith(SignatureAlgorithm.HS256, KEY).compact();
}

As per source code signWith(SignatureAlgorithm var1, byte[] var2) got deprecated.

@Deprecated
JwtBuilder signWith(SignatureAlgorithm var1, byte[] var2) throws InvalidKeyException;
@Deprecated
JwtBuilder signWith(SignatureAlgorithm var1, String var2) throws InvalidKeyException;

you can do something like this.

SecretKey key = Keys.hmacShaKeyFor(secretkey.getBytes(StandardCharsets.UTF_8));
jwtBuilder.signWith(key).compact();

Here hmacShaKeyFor() method determines the Algorithm to be used based on the bit length of Secretkey.

Too lazy get the sources so maven dependency

<dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt</artifactId>
        <version>0.12.3</version>
</dependency>

As per the source code you need to flip the variables so that Key comes first:

@deprecated since 0.10.0: use {@link #signWith(Key, SignatureAlgorithm)} instead. This method will be removed in the 1.0 release.

@Deprecated
JwtBuilder signWith(SignatureAlgorithm alg, Key key) throws InvalidKeyException;

So as per the deprecated comment, the correct usage would be:

signWith(KEY, SignatureAlgorithm)

Using the deprecated method and @deprecated annotation is not a solution if you ever intend to upgrade to version 1.0 or a newer version of the library in the future.

You can use something like this: The new signWith API needs Key object to be passed which you can create using Keys.hmacShaKeyFor method. Thus you can ignore the deprecated one.

    private String doGenerateToken(Map<String, Object> claims, String username) {
            return Jwts.builder()
                .setClaims(claims)
                .setSubject(username)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + jwtTokenValidityInMs))
                .signWith(getSigningKey(), SignatureAlgorithm.HS512) // <-- This can be helpful to you
                .compact();
    }

    private Key getSigningKey() {
        byte[] keyBytes = this.secret.getBytes(StandardCharsets.UTF_8);
        return Keys.hmacShaKeyFor(keyBytes);
    }

You can use this

.signWith(key, Jwts.SIG.HS256)

Full Function

 public String generateToken(Map<String, Object> extraClaims, UserDetails userDetails) {
        return Jwts.builder()
                .claims()
                .add(extraClaims)
                .subject(userDetails.getUsername())
                .issuedAt(new Date(System.currentTimeMillis()))
                .expiration(new Date(System.currentTimeMillis() + 1000 * 60 + 24))
                .and()
                .signWith(getSignInKey(), Jwts.SIG.HS256)
                .compact();

    }

You can use this code snippet

SecretKey key = Keys.secretKeyFor(SignatureAlgorithm.HS256); //or HS384 or HS512
 Jwts.builder()
//...
.signWith(key) 
.compact();

More info

SignatureAlgorithm is Deprecated. since 0.12.0; use Jwts.SIG instead

Below is the way I am doing it in my spring boot project.

SecretKey key = Keys.hmacShaKeyFor(environment.getProperty("jwt.token.secret").getBytes(StandardCharsets.UTF_8));
//.....
.signWith(key ,Jwts.SIG.HS512).compact();

I have declared jwt.token.secret property in my application.properties file.

'io.jsonwebtoken:jjwt:0.12.3'