DTOs vs. Entities in Spring Boot: What Nobody Tells You

When I first started using Spring Boot, I didn’t think much about DTOs (Data Transfer Objects) and Entities. I just created one class and used it everywhere — in my database, in my API, in my service. It worked… until it didn’t.

In this article, I want to share what I learned about DTOs and Entities. I’ll explain what they are, why separating them matters, and how skipping this step caused me some real problems

What I Did at First

At the beginning of one of my projects, I created an User class with fields like id, name, email, and password. I used this same class for:

• Saving to the database (as a JPA entity)
• Accepting data from the frontend
• Returning API responses

It was fast to build. I didn’t write much code. But over time, this became a problem

When It Broke

One day, I got a new requirement. The frontend team needed to show a public profile, but without the user’s email and password.

Simple, right?

But my API was using the full User entity. So the response included sensitive data like the password hash.