[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0FZek7R1vz4AS3uTzc6aFKFaJUnpEz_4pxUw-UtbHnw":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":13,"vuln_count":27,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":48,"crawl_stats":37,"alternatives":55,"analysis":149,"fingerprints":271},"api-bearer-auth","API Bearer Auth","20200916","michielve","https:\u002F\u002Fprofiles.wordpress.org\u002Fmichielve\u002F","\u003Cp>The API Bearer Auth plugin enables authentication for the REST API by using JWT access an refresh tokens. After the user logs in, the access and refresh tokens are returned and can be used for the next requests. Issued tokens can be revoked from within the users admin screen. See below for the endpoints.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note that after activating this plugin, all REST API endpoints will need to be authenticated, unless the endpoint is whitelisted in the \u003Ccode>api_bearer_auth_unauthenticated_urls\u003C\u002Fcode> filter (see FAQ for how to use this filter).\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch4>JWT\u003C\u002Fh4>\n\u003Cp>Access tokens can be formatted as JWT tokens. For this to work, you first have to create a secret and add it to the wp-config.php file. If you don’t do this, access tokens will work also, but are just random strings. To create a random secret key, you can do for example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>base64_encode(openssl_random_pseudo_bytes(64));\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>And then add the result to wp-config:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('API_BEARER_JWT_SECRET', 'mysecretkey');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If you have problems, you can verify your JWT tokens at: \u003Ca href=\"https:\u002F\u002Fjwt.io\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fjwt.io\u002F\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Revoke tokens\u003C\u002Fh4>\n\u003Cp>This plugin adds a column to the users table in de admin where you can see when a token expires. You can also revoke tokens by selection the “Revoke API tokens” from the bulk actions select box.\u003C\u002Fp>\n\u003Ch4>API endpoints\u003C\u002Fh4>\n\u003Cp>Note that all endpoints \u003Cstrong>expect JSON in the POST body\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Login\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Endpoint:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fapi-bearer-auth\u002Fv1\u002Flogin\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Request body:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note: \u003Ccode>client_name\u003C\u002Fcode> is optional. But if you use it, make sure to use it as well for the refresh call!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\"username\": \"my_username\", \"password\": \"my_password\", \"client_name\": \"my_app\"}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Response:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"wp_user\": {\n \"data\": {\n \"ID\": 1,\n \"user_login\": \"your_user_login\",\n \u002F\u002F other default WordPress user fields\n }\n },\n \"access_token\": \"your_access_token\",\n \"expires_in\": 86400, \u002F\u002F number of seconds\n \"refresh_token\": \"your_refresh_token\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Make sure to save the access and refresh token!\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Refresh access token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Endpoint:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fapi-bearer-auth\u002Fv1\u002Ftokens\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Request body:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note: \u003Ccode>client_name\u003C\u002Fcode> is optional. But if you did use it for the login call, make sure to use it here as well!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\"token\": \"your_refresh_token\", \"client_name\": \"my_app\"}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Response success:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"access_token\": \"your_new_access_token\",\n \"expires_in\": 86400\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Response when sending a wrong refresh token is a 401:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"code\": \"api_api_bearer_auth_error_invalid_token\",\n \"message\": \"Invalid token.\",\n \"data\": {\n \"status\": 401\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Do a request\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>After you have the access token, you can make requests to authenticated endpoints with an Authorization header like this:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Authorization: Bearer \u003Cyour_access_token>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Note that Apache sometimes strips out the Authorization header. If this is the case, make sure to add this to the .htaccess file:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteCond %{HTTP:Authorization} ^(.*)\n# Don't know why, but some need the line below instead of the RewriteRule line\n# SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If you are not logged in or you send an invalid access token, you get a 401 response:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"code\": \"api_bearer_auth_not_logged_in\",\n \"message\": \"You are not logged in.\",\n \"data\": {\n \"status\": 401\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Important update\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Update immediately if you’re using a version below 20200807. Before this version all access tokens were updated when calling the refresh callback.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>If you are affected by this the fastest solution is to execute this query:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>update wp_user_tokens set access_token_valid = NOW();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>This will invalidate all access tokens. This means that all users need to refresh their access token and will get a new access token and a unique one this time.\u003C\u002Fp>\n\u003Cp>A big thank to @harchvertelol for reporting this and suggesting the fix as well!\u003C\u002Fp>\n","Access and refresh tokens based authentication plugin for the REST API.",300,23510,100,6,"2025-12-08T09:52:00.000Z","6.9.4","4.6","5.4.0",[20,21,22,23,24],"api","authentication","jwt","jwt-tokens","rest-api","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fapi-bearer-auth.zip",1,0,"2019-09-05 00:00:00","2026-03-15T15:16:48.613Z",[32],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":39,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":29,"updated_date":44,"references":45,"days_to_patch":47},"CVE-2019-16332","api-bearer-auth-cross-site-scripting","API Bearer Auth \u003C 20190907 - Cross-Site Scripting","In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.",null,"\u003C20190907","20190907","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-01-22 19:56:02",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F13843a16-7ae3-412d-a2ac-7a5ee556b6e2?source=api-prod",1601,{"slug":7,"display_name":7,"profile_url":8,"plugin_count":49,"total_installs":50,"avg_security_score":51,"avg_patch_time_days":52,"trust_score":53,"computed_at":54},4,1320,92,644,73,"2026-04-04T04:29:39.597Z",[56,77,100,116,132],{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":64,"downloaded":65,"rating":66,"num_ratings":67,"last_updated":68,"tested_up_to":16,"requires_at_least":69,"requires_php":70,"tags":71,"homepage":75,"download_link":76,"security_score":13,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"jwt-authentication-for-wp-rest-api","JWT Authentication for WP REST API","1.5.0","tmeister","https:\u002F\u002Fprofiles.wordpress.org\u002Ftmeister\u002F","\u003Cp>This plugin seamlessly extends the WP REST API, enabling robust and secure authentication using JSON Web Tokens (JWT). It provides a straightforward way to authenticate users via the REST API, returning a standard JWT upon successful login.\u003C\u002Fp>\n\u003Ch3>Key features of this free version include:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication:\u003C\u002Fstrong> Implements the industry-standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa> for secure claims representation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple Endpoints:\u003C\u002Fstrong> Offers clear \u003Ccode>\u002Ftoken\u003C\u002Fcode> and \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode> endpoints for generating and validating tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Secret Key:\u003C\u002Fstrong> Define your unique secret key via \u003Ccode>wp-config.php\u003C\u002Fcode> for secure token signing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optional CORS Support:\u003C\u002Fstrong> Easily enable Cross-Origin Resource Sharing support via a \u003Ccode>wp-config.php\u003C\u002Fcode> constant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Hooks:\u003C\u002Fstrong> Provides filters (\u003Ccode>jwt_auth_expire\u003C\u002Fcode>, \u003Ccode>jwt_auth_token_before_sign\u003C\u002Fcode>, etc.) for customizing token behavior.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.\u003C\u002Fp>\n\u003Cp>For users requiring more advanced capabilities such as multiple signing algorithms (RS256, ES256), token refresh\u002Frevocation, UI-based configuration, or priority support, consider checking out \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_link_soft\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Support and Requests:\u003C\u002Fstrong> Please use \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub Issues\u003C\u002Fa>. For priority support, consider upgrading to \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_support_link\" rel=\"nofollow ugc\">PRO\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>REQUIREMENTS\u003C\u002Fh3>\n\u003Ch4>WP REST API V2\u003C\u002Fh4>\n\u003Cp>This plugin was conceived to extend the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API V2\u003C\u002Fa> plugin features and, of course, was built on top of it.\u003C\u002Fp>\n\u003Cp>So, to use the \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> you need to install and activate \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>PHP\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Minimum PHP version: 7.4.0\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>PHP HTTP Authorization Header Enable\u003C\u002Fh3>\n\u003Cp>Most shared hosting providers have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPENGINE\u003C\u002Fh4>\n\u003Cp>For WPEngine hosting, you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>See https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1 for more details.\u003C\u002Fp>\n\u003Ch3>CONFIGURATION\u003C\u002Fh3>\n\u003Ch3>Configure the Secret Key\u003C\u002Fh3>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a secure key from: https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Looking for easier configuration?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=config_secret_key_link\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to manage all settings through a simple admin UI.\u003C\u002Fp>\n\u003Ch3>Configure CORS Support\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORS\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable CORS Support, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Finally, activate the plugin within your wp-admin.\u003C\u002Fp>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace:\u003C\u002Fp>\n\u003Cp>Endpoint | HTTP Verb\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fem> | POST\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need more functionality?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=endpoints_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> includes additional endpoints for token refresh and revocation.\u003C\u002Fp>\n\u003Ch3>USAGE\u003C\u002Fh3>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fh4>\n\u003Cp>This is the entry point for JWT Authentication.\u003C\u002Fp>\n\u003Cp>It validates the user credentials, \u003Cem>username\u003C\u002Fem> and \u003Cem>password\u003C\u002Fem>, and returns a token to use in future requests to the API if the authentication is correct, or an error if authentication fails.\u003C\u002Fp>\n\u003Cp>Sample Request Using AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>(function() {\n var app = angular.module('jwtAuth', []);\n\n app.controller('MainController', function($scope, $http) {\n var apiHost = 'http:\u002F\u002Fyourdomain.com\u002Fwp-json';\n\n $http.post(apiHost + '\u002Fjwt-auth\u002Fv1\u002Ftoken', {\n username: 'admin',\n password: 'password'\n })\n .then(function(response) {\n console.log(response.data)\n })\n .catch(function(error) {\n console.error('Error', error.data[0]);\n });\n });\n})();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Success Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9qd3QuZGV2IiwiaWF0IjoxNDM4NTcxMDUwLCJuYmYiOjE0Mzg1NzEwNTAsImV4cCI6MTQzOTE3NTg1MCwiZGF0YSI6eyJ1c2VyIjp7ImlkIjoiMSJ9fX0.YNe6AyWW4B7ZwfFE5wJ0O6qQ8QFcYizimDmBy6hCH_8\",\n \"user_display_name\": \"admin\",\n \"user_email\": \"admin@localhost.dev\",\n \"user_nicename\": \"admin\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Error Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"code\": \"jwt_auth_failed\",\n \"data\": {\n \"status\": 403\n },\n \"message\": \"Invalid Credentials.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application, e.g., in a \u003Cstrong>cookie\u003C\u002Fstrong> or using \u003Cstrong>localStorage\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>From this point, you should pass this token with every API call.\u003C\u002Fp>\n\u003Cp>Sample Call Using The Authorization Header With AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>app.config(function($httpProvider) {\n $httpProvider.interceptors.push(['$q', '$location', '$cookies', function($q, $location, $cookies) {\n return {\n 'request': function(config) {\n config.headers = config.headers || {};\n \u002F\u002F Assume that you store the token in a cookie\n var globals = $cookies.getObject('globals') || {};\n \u002F\u002F If the cookie has the CurrentUser and the token\n \u002F\u002F add the Authorization header in each request\n if (globals.currentUser && globals.currentUser.token) {\n config.headers.Authorization = 'Bearer ' + globals.currentUser.token;\n }\n return config;\n }\n };\n }]);\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin will intercept every call to the server and will look for the Authorization Header. If the Authorization header is present, it will try to decode the token and will set the user according to the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as normal.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Sample Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fresource HTTP\u002F1.1\nHost: server.example.com\nAuthorization: Bearer mF_s9.B5f-4.1JqM\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>ERRORS\u003C\u002Fh3>\n\u003Cp>If the token is invalid, an error will be returned. Here are some sample errors:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Invalid Credentials\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n {\n \"code\": \"jwt_auth_failed\",\n \"message\": \"Invalid Credentials.\",\n \"data\": {\n \"status\": 403\n }\n }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Invalid Signature\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n {\n \"code\": \"jwt_auth_invalid_token\",\n \"message\": \"Signature verification failed\",\n \"data\": {\n \"status\": 403\n }\n }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Expired Token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n {\n \"code\": \"jwt_auth_invalid_token\",\n \"message\": \"Expired token\",\n \"data\": {\n \"status\": 403\n }\n }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Need advanced error tracking?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=errors_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> offers enhanced error tracking and monitoring capabilities.\u003C\u002Fp>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fh4>\n\u003Cp>This is a simple helper endpoint to validate a token. You only need to make a POST request with the Authorization header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Valid Token Response\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"code\": \"jwt_auth_valid_token\",\n \"data\": {\n \"status\": 200\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>AVAILABLE HOOKS\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin is developer-friendly and provides five filters to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_cors_allow_headers\u003C\u002Fstrong> filter allows you to modify the available headers when CORS support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_not_before\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Creation time - time()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_expire\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_token_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_sign\u003C\u002Fstrong> filter allows you to modify all token data before it is encoded and signed.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = array(\n 'iss' => get_bloginfo('url'),\n 'iat' => $issuedAt,\n 'nbf' => $notBefore,\n 'exp' => $expire,\n 'data' => array(\n 'user' => array(\n 'id' => $user->data->ID,\n )\n )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Want easier customization?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=hook_payload_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to add custom claims directly through the admin UI.\u003C\u002Fp>\n\u003Ch4>jwt_auth_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_dispatch\u003C\u002Fstrong> filter allows you to modify the response array before it is sent to the client.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = array(\n 'token' => $token,\n 'user_email' => $user->data->user_email,\n 'user_nicename' => $user->data->user_nicename,\n 'user_display_name' => $user->data->display_name,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_algorithm\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_algorithm\u003C\u002Fstrong> filter allows you to modify the signing algorithm.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = JWT::encode(\n apply_filters('jwt_auth_token_before_sign', $token, $user),\n $secret_key,\n apply_filters('jwt_auth_algorithm', 'HS256')\n);\n\n\u002F\u002F ...\n\n$token = JWT::decode(\n $token,\n new Key($secret_key, apply_filters('jwt_auth_algorithm', 'HS256'))\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>JWT Authentication PRO\u003C\u002Fh3>\n\u003Cp>Elevate your WordPress security and integration capabilities with \u003Cstrong>JWT Authentication PRO\u003C\u002Fstrong>. Building upon the solid foundation of the free version, the PRO version offers advanced features, enhanced security options, and a streamlined user experience:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Configuration UI:\u003C\u002Fstrong> Manage all settings directly from the WordPress admin area.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Endpoint:\u003C\u002Fstrong> Allow users to refresh expired tokens seamlessly without requiring re-login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation Endpoint:\u003C\u002Fstrong> Immediately invalidate specific tokens for enhanced security control.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Token Payload:\u003C\u002Fstrong> Add custom claims to your JWT payload to suit your specific application needs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular CORS Control:\u003C\u002Fstrong> Define allowed origins and headers with more precision directly in the settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Protect your endpoints from abuse with configurable rate limits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Audit Logs:\u003C\u002Fstrong> Keep track of token generation, validation, and errors.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Priority Support:\u003C\u002Fstrong> Get faster, dedicated support directly from the developer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=pro_section_cta\" rel=\"nofollow ugc\">Upgrade to JWT Authentication PRO Today!\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Free vs. PRO Comparison\u003C\u002Fh3>\n\u003Cp>Here’s a quick look at the key differences:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Basic JWT Authentication:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Generation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Validation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Mechanism:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Management Dashboard:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Analytics & Monitoring:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geo-IP Identification:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Documentation:\u003C\u002Fstrong> Basic (Free), Comprehensive (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Tools:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support:\u003C\u002Fstrong> Community via GitHub (Free), Priority Direct Support (PRO)\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.",60000,893830,88,53,"2026-02-18T00:58:00.000Z","4.2","7.4.0",[72,22,73,24,74],"json-web-authentication","oauth","wp-api","https:\u002F\u002Fenriquechavez.co","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authentication-for-wp-rest-api.1.5.0.zip",{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":66,"num_ratings":53,"last_updated":87,"tested_up_to":16,"requires_at_least":88,"requires_php":89,"tags":90,"homepage":95,"download_link":96,"security_score":97,"vuln_count":98,"unpatched_count":28,"last_vuln_date":99,"fetched_at":30},"wp-rest-api-authentication","JWT Authentication for WP REST APIs","4.3.0","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cp>\u003Cstrong>WordPress REST API endpoints\u003C\u002Fstrong> are \u003Cstrong>open and unsecured by default\u003C\u002Fstrong> which can be used to access your site data. Secure WordPress APIs from unauthorized users with our \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication\" rel=\"nofollow ugc\">JWT Authentication for WP REST APIs plugin\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Our plugin offers below authentication methods to \u003Cstrong>Protect WP REST API endpoints\u003C\u002Fstrong>:\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– External Token based Authentication 2.0\u002FOIDC\u002FJWT\u002F\u003Ca href=\"https:\u002F\u002Ffirebase.google.com\u002Fdocs\u002Fauth\u002Fadmin\u002Fcreate-custom-tokens\" rel=\"nofollow ugc\">Firebase\u003C\u002Fa> provider’s token authentication methods.\u003C\u002Fp>\n\u003Cp>You can authenticate default WordPress endpoints and custom-developed REST endpoints and third-party plugin REST API endpoints like that of \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwoocommerce\u002F\" rel=\"ugc\">Woocommerce\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.learndash.com\u002F\" rel=\"nofollow ugc\">Learndash\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbuddypress\u002F\" rel=\"ugc\">Buddypress\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.gravityforms.com\u002F\" rel=\"nofollow ugc\">Gravity Forms\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcart-rest-api-for-woocommerce\u002F\" rel=\"ugc\">CoCart\u003C\u002Fa>, etc.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FIsyKI7eEV-I?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&start=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch3>WP REST API Authentication Methods in our plugin\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method#step_a1\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\nProvides an endpoint where you can pass the user credentials, and it will generate a JWT (JSON Web Token), which you can use to access the WordPress REST APIs accordingly.\u003Cbr \u002F>\nAdditionally, to maintain a seamless user experience without frequent logins needed due to token expiry, you can use our \u003Cem>Refresh and Revoke token\u003C\u002Fem> mechanisms feature.\u003Cbr \u002F>\nWhen the access token expires, instead of forcing the user to log in again, the client can request a new access token using a valid refresh token.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method#step_a\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>:\u003Cbr \u002F>\n – 1. \u003Cstrong>Username: Password\u003C\u002Fstrong>\u003Cbr \u002F>\n – 2. \u003Cstrong>Client-ID: Client-Secret\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method#step_a\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n – 1. \u003Cstrong>Password Grant\u003C\u002Fstrong>\u003Cbr \u002F>\n – 2. \u003Cstrong>Client Credentials Grant\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication-using-third-party-provider#step_a\" rel=\"nofollow ugc\">Third Party Provider Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Following are some of the integrations that are possible with WP REST API Authentication:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Learndash API Authentication\u003C\u002Fli>\n\u003Cli>Custom Built REST API Endpoints Authentication\u003C\u002Fli>\n\u003Cli>BuddyPress API Authentication\u003C\u002Fli>\n\u003Cli>WooCommerce API Authentication\u003C\u002Fli>\n\u003Cli>Gravity Form API Authentication\u003C\u002Fli>\n\u003Cli>External\u002FThird-party plugin API endpoints integration in WordPress\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can also disable the WP REST APIs with our plugin such that no one can make API calls to your WordPress REST API endpoints.Our plugin also provides \u003Cstrong>Refresh and Revoke Token\u003C\u002Fstrong> that can be used to improve the API security.\u003C\u002Fp>\n\u003Ch3>Benefits of Refresh Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Enhances security by keeping access tokens short-lived.\u003C\u002Fli>\n\u003Cli>Improves user experience with uninterrupted sessions.\u003C\u002Fli>\n\u003Cli>Reduces login frequency.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Benefits of Revoke Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Protects against token misuse if a device is lost or compromised.\u003C\u002Fli>\n\u003Cli>Enables admin-triggered logouts or session control.\u003C\u002Fli>\n\u003Cli>Useful for complying with stricter session policies.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>With this plugin, the user is allowed to access your site’s resources only after successful WP REST API authentication. JWT Authentication for WP REST APIs plugin will make your \u003Cstrong>WordPress endpoints secure from unauthorized access.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Plugin Feature List\u003C\u002Fh3>\n\u003Ch3>FREE PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate only default core WordPress REST API endpoints.\u003C\u002Fli>\n\u003Cli>Basic Authentication with username and password.\u003C\u002Fli>\n\u003Cli>JWT Authentication (JSON Web Token Authentication).\u003C\u002Fli>\n\u003Cli>Enable Selective API protection.\u003C\u002Fli>\n\u003Cli>Restrict non-logged-in users to access REST API endpoints.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>PREMIUM PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate all REST API endpoints (Default WP, Custom APIs,Third-Party plugins)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>JWT Token Authentication\u003C\u002Fstrong> (JSON Web Token Authentication)\u003C\u002Fli>\n\u003Cli>Login, Refresh and Revoke token endpoints for token management\u003C\u002Fli>\n\u003Cli>API Key Authentication\u003C\u002Fli>\n\u003Cli>Basic Authentication (username\u002Fpassword and email\u002Fpassword)\u003C\u002Fli>\n\u003Cli>OAuth 2.0 Authentication\u003C\u002Fli>\n\u003Cli>Universal API key and User-specific API key for authentication\u003C\u002Fli>\n\u003Cli>Selective API protection.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003Cli>Time-based token expiry\u003C\u002Fli>\n\u003Cli>Role-based WP REST API authentication\u003C\u002Fli>\n\u003Cli>Custom Header support rather than just \u003Cem>Authorization\u003C\u002Fem> to increase security.\u003C\u002Fli>\n\u003Cli>Create users in WordPress based on third-party provider access tokens (JWT tokens) authentication.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin does not store any user data.\u003C\u002Fp>\n","Secure and protect WordPress REST API from unauthorized access using JWT token, Basic Authentication, API Key, OAuth 2, or external token.",20000,490496,"2026-02-09T05:11:00.000Z","3.0.1","5.6",[91,92,93,24,94],"api-key","jwt-authentication","rest","secure-api","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-rest-api-authentication","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rest-api-authentication.4.3.0.zip",97,2,"2025-04-16 00:00:00",{"slug":101,"name":102,"version":103,"author":104,"author_profile":105,"description":106,"short_description":107,"active_installs":28,"downloaded":108,"rating":28,"num_ratings":28,"last_updated":109,"tested_up_to":16,"requires_at_least":110,"requires_php":111,"tags":112,"homepage":25,"download_link":115,"security_score":13,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"headlesskey-jwt-auth","HeadlessKey – JWT Auth","1.0.0","Hidayat Mahetar","https:\u002F\u002Fprofiles.wordpress.org\u002Fhidayatsafewp\u002F","\u003Cp>\u003Cstrong>HeadlessKey – JWT Auth\u003C\u002Fstrong> extends the REST API to provide a robust and secure authentication system using JSON Web Tokens (JWT). Designed for Headless WordPress, it enables seamless user authentication, registration, and session management via standard REST endpoints.\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication\u003C\u002Fstrong>: Secure user authentication using industry-standard RFC 7519 tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Algorithms\u003C\u002Fstrong>: Support for \u003Ccode>HS256\u003C\u002Fcode>, \u003Ccode>RS256\u003C\u002Fcode>, and \u003Ccode>ES256\u003C\u002Fcode> signing algorithms.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Comprehensive Endpoints\u003C\u002Fstrong>: Ready-to-use endpoints for Login, Register, Token Refresh, and Password Management.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Single Sign-On (SSO)\u003C\u002Fstrong>: Connect multiple sites with a secure, headers-based SSO exchange mechanism.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role-Based Access Control (RBAC)\u003C\u002Fstrong>: Configure public or authenticated access for every endpoint.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Brute Force Protection\u003C\u002Fstrong>: Protects against attacks by locking users\u002FIPs after failed attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Activity Logs\u003C\u002Fstrong>: Detailed audit trail of all authentication events, including IP and device data.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Webhooks\u003C\u002Fstrong>: Real-time JSON events sent to your external services for monitoring key actions.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Device Limits\u003C\u002Fstrong>: Restrict the number of active devices\u002Fsessions per user.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Friendly\u003C\u002Fstrong>: Extensive hooks and filters for deep customization.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Ch3>Secret Key\u003C\u002Fh3>\n\u003Cp>The plugin uses a secret key to sign tokens. By default, a secure random key is generated. For better security and consistency across environments, define your key in \u003Ccode>wp-config.php\u003C\u002Fcode>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_SECRET_KEY', 'your-long-random-secure-string');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a strong salt here: \u003Ca href=\"https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\" rel=\"nofollow ugc\">WordPress Salt Generator\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>CORS Support\u003C\u002Fh3>\n\u003Cp>Cross-Origin Resource Sharing (CORS) is enabled by default to allow frontend applications to connect. To disable or customize it via constant:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_CORS', true); \u002F\u002F or false to disable\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST API Namespace\u003C\u002Fh3>\n\u003Cp>By default, endpoints are under \u003Ccode>wp-json\u002Fwpauthapi\u002Fv1\u003C\u002Fcode>. You can customize this namespace:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_REST_NAMESPACE', 'my-custom-auth');\ndefine('headlesskey_REST_VERSION', 'v2');\u003Ch3>Endpoints\u003C\u002Fh3>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The plugin adds the following endpoints under the \u003Ccode>\u002Fwp-json\u002Fheadlesskey\u002Fv1\u003C\u002Fcode> namespace:\u003C\u002Fp>\n\u003Cp> Endpoint\u003Cbr \u002F>\n HTTP Verb\u003Cbr \u002F>\n Description\u003C\u002Fp>\n\u003Cp> \u003Ccode>\u002Ftoken\u003C\u002Fcode>\u003Cbr \u002F>\n POST\u003Cbr \u002F>\n \u003Cstrong>Login\u003C\u002Fstrong>: Exchange username\u002Fpassword for a JWT.\u003C\u002Fp>\n\u003Cp> \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode>\u003Cbr \u002F>\n POST\u003Cbr \u002F>\n \u003Cstrong>Validate\u003C\u002Fstrong>: Check if a token validity.\u003C\u002Fp>\n\u003Cp> \u003Ccode>\u002Ftoken\u002Frefresh\u003C\u002Fcode>\u003Cbr \u002F>\n POST\u003Cbr \u002F>\n \u003Cstrong>Refresh\u003C\u002Fstrong>: Exchange a valid token for a new one (rotation).\u003C\u002Fp>\n\u003Cp> \u003Ccode>\u002Ftoken\u002Frevoke\u003C\u002Fcode>\u003Cbr \u002F>\n POST\u003Cbr \u002F>\n \u003Cstrong>Logout\u003C\u002Fstrong>: Invalidate a specific token.\u003C\u002Fp>\n\u003Cp> \u003Ccode>\u002Fregister\u003C\u002Fcode>\u003Cbr \u002F>\n POST\u003Cbr \u002F>\n \u003Cstrong>Register\u003C\u002Fstrong>: Create a new user account.\u003C\u002Fp>\n\u003Cp> \u003Ccode>\u002Flogin\u003C\u002Fcode>\u003Cbr \u002F>\n POST\u003Cbr \u002F>\n \u003Cstrong>Profile\u003C\u002Fstrong>: Login and get full user profile data in one request.\u003C\u002Fp>\n\u003Cp> \u003Ccode>\u002Fforgot-password\u003C\u002Fcode>\u003Cbr \u002F>\n POST\u003Cbr \u002F>\n \u003Cstrong>Recover\u003C\u002Fstrong>: Request a password reset via Link or OTP.\u003C\u002Fp>\n\u003Cp> \u003Ccode>\u002Freset-password\u003C\u002Fcode>\u003Cbr \u002F>\n POST\u003Cbr \u002F>\n \u003Cstrong>Reset\u003C\u002Fstrong>: Set a new password using a token or OTP.\u003C\u002Fp>\n\u003Cp> \u003Ccode>\u002Fchange-password\u003C\u002Fcode>\u003Cbr \u002F>\n POST\u003Cbr \u002F>\n \u003Cstrong>Update\u003C\u002Fstrong>: Change password for authenticated user.\u003C\u002Fp>\n\u003Cp> \u003Ccode>\u002Fsso\u002Fexchange\u003C\u002Fcode>\u003Cbr \u002F>\n POST\u003Cbr \u002F>\n \u003Cstrong>SSO\u003C\u002Fstrong>: Exchange a remote site token for a local session.\u003C\u002Fp>\n\u003Ch3>1. Login (Generate Token)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Authenticate a user and generate a JWT token.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"username\": \"admin\",\u003Cbr \u002F>\n \"password\": \"secret-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\",\u003Cbr \u002F>\n \"expiration\": \"2023-10-27T10:00:00+00:00\",\u003Cbr \u002F>\n \"expires_in\": 3600,\u003Cbr \u002F>\n \"user\": {\u003Cbr \u002F>\n \"ID\": 1,\u003Cbr \u002F>\n \"user_login\": \"admin\",\u003Cbr \u002F>\n \"user_email\": \"admin@example.com\",\u003Cbr \u002F>\n \"display_name\": \"Administrator\",\u003Cbr \u002F>\n \"roles\": [\"administrator\"]\u003Cbr \u002F>\n },\u003Cbr \u002F>\n \"refreshable\": true,\u003Cbr \u002F>\n \"jti\": \"545086b9-450f-488b-a70d-3047d14d1101\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>2. Validate Token\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Validate if an existing token is valid.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"valid\": true,\u003Cbr \u002F>\n \"data\": {\u003Cbr \u002F>\n \"iss\": \"https:\u002F\u002Fexample.com\",\u003Cbr \u002F>\n \"iat\": 1698393600,\u003Cbr \u002F>\n \"exp\": 1698397200,\u003Cbr \u002F>\n \"data\": {\u003Cbr \u002F>\n \"ID\": 1,\u003Cbr \u002F>\n \"user_login\": \"admin\"\u003Cbr \u002F>\n }\u003Cbr \u002F>\n }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>3. Refresh Token\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Frefresh\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Rotate an expiring token for a fresh one.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.new...\",\u003Cbr \u002F>\n \"expiration\": \"2023-10-27T11:00:00+00:00\",\u003Cbr \u002F>\n \"user\": {\u003Cbr \u002F>\n \"ID\": 1,\u003Cbr \u002F>\n \"user_login\": \"admin\"\u003Cbr \u002F>\n },\u003Cbr \u002F>\n \"jti\": \"new-uuid-v4\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>4. Revoke Token (Logout)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Frevoke\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Invalidate a token immediately.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"message\": \"Token revoked successfully.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>5. Register User\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fregister\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Create a new user account.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"username\": \"johndoe\",\u003Cbr \u002F>\n \"email\": \"john@example.com\",\u003Cbr \u002F>\n \"password\": \"secure-password\",\u003Cbr \u002F>\n \"name\": \"John Doe\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"user_id\": 45,\u003Cbr \u002F>\n \"user\": {\u003Cbr \u002F>\n \"ID\": 45,\u003Cbr \u002F>\n \"user_login\": \"johndoe\",\u003Cbr \u002F>\n \"user_email\": \"john@example.com\",\u003Cbr \u002F>\n \"display_name\": \"John Doe\",\u003Cbr \u002F>\n \"roles\": [\"subscriber\"]\u003Cbr \u002F>\n },\u003Cbr \u002F>\n \"token_response\": {\u003Cbr \u002F>\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOi...\",\u003Cbr \u002F>\n \"expiration\": \"2023-10-27T10:00:00+00:00\"\u003Cbr \u002F>\n }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>6. User Profile (Login Extended)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Flogin\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Alternative login endpoint that returns cleaner profile structure.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"username\": \"admin\",\u003Cbr \u002F>\n \"password\": \"secret-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\",\u003Cbr \u002F>\n \"expiration\": \"2023-10-27T10:00:00+00:00\",\u003Cbr \u002F>\n \"user\": {\u003Cbr \u002F>\n \"ID\": 1,\u003Cbr \u002F>\n \"user_login\": \"admin\",\u003Cbr \u002F>\n \"user_email\": \"admin@example.com\",\u003Cbr \u002F>\n \"display_name\": \"Administrator\",\u003Cbr \u002F>\n \"roles\": [\"administrator\"]\u003Cbr \u002F>\n }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>7. Forgot Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fforgot-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Initiate password recovery. Note: \u003Ccode>delivery\u003C\u002Fcode> can be \u003Ccode>link\u003C\u002Fcode> or \u003Ccode>otp\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"login\": \"admin@example.com\",\u003Cbr \u002F>\n \"delivery\": \"link\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"message\": \"Password reset email sent.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>8. Reset Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Freset-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Reset password using the token sent via email or OTP.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request (Link method):\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"login\": \"admin@example.com\",\u003Cbr \u002F>\n \"password\": \"new-secure-password\",\u003Cbr \u002F>\n \"token\": \"generated-reset-key\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"message\": \"Password updated successfully.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>9. Change Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fchange-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Change password for currently authenticated user. Requires \u003Ccode>Authorization\u003C\u002Fcode> header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Headers:\u003C\u002Fstrong>\u003Cbr \u002F>\n Authorization: Bearer \u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"current_password\": \"old-password\",\u003Cbr \u002F>\n \"new_password\": \"new-secure-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"message\": \"Password changed successfully. Please login again.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>10. SSO Token Exchange\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fsso\u002Fexchange\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Securely exchange a token from a connected remote site for a local authentication session. This powers the distributed Single Sign-On network.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n \"site_key\": \"remote-site-id\",\u003Cbr \u002F>\n \"token\": \"remote-jwt-token\",\u003Cbr \u002F>\n \"signature\": \"hmac-sha256-signature\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\nReturns a standard \u003Cstrong>Login\u003C\u002Fstrong> response (Token + User Data) if the signature is valid.\u003C\u002Fp>\n","A complete authentication solution for Headless WordPress applications using JWT, supporting Registration, SSO, RBAC, and advanced Security features.",133,"2026-02-08T10:59:00.000Z","6.0","8.0",[21,113,22,24,114],"headless","security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fheadlesskey-jwt-auth.1.0.0.zip",{"slug":117,"name":118,"version":119,"author":120,"author_profile":121,"description":122,"short_description":123,"active_installs":28,"downloaded":124,"rating":28,"num_ratings":28,"last_updated":25,"tested_up_to":125,"requires_at_least":89,"requires_php":126,"tags":127,"homepage":129,"download_link":130,"security_score":13,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":131},"juanma-jwt-auth-pro","JuanMa JWT Auth Pro","1.2.1","JuanMa Garrido","https:\u002F\u002Fprofiles.wordpress.org\u002Fjuanmaguitar\u002F","\u003Cp>Unlike basic JWT plugins that use \u003Cstrong>single long-lived tokens\u003C\u002Fstrong>, JWT Auth Pro implements \u003Cstrong>modern OAuth 2.0 security best practices\u003C\u002Fstrong> with short-lived access tokens and secure refresh tokens.\u003C\u002Fp>\n\u003Ch4>Why JWT Auth Pro?\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>The Problem with Basic JWT Plugins:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Long-lived tokens (24h+) = Higher security risk\u003Cbr \u002F>\n* No refresh mechanism = Tokens live until expiry\u003Cbr \u002F>\n* XSS vulnerable = Tokens stored in localStorage\u003Cbr \u002F>\n* No revocation = Can’t invalidate compromised tokens\u003C\u002Fp>\n\u003Cp>\u003Cstrong>JWT Auth Pro Solution:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Short-lived access tokens (1h default) = Minimal attack window\u003Cbr \u002F>\n* Secure refresh tokens = HTTP-only cookies, XSS protected\u003Cbr \u002F>\n* Automatic token rotation = Fresh tokens on each refresh\u003Cbr \u002F>\n* Complete session control = Revoke any user session instantly\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Simple JWT Authentication\u003C\u002Fstrong> – Clean, stateless token-based auth\u003C\u002Fli>\n\u003Cli>\u003Cstrong>HTTPOnly Refresh Tokens\u003C\u002Fstrong> – Secure refresh tokens in HTTP-only cookies\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Rotation\u003C\u002Fstrong> – Automatic refresh token rotation for enhanced security\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CORS Support\u003C\u002Fstrong> – Proper cross-origin request handling\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Clean Admin Interface\u003C\u002Fstrong> – Simple configuration in WordPress admin\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Friendly\u003C\u002Fstrong> – Clear endpoints and documentation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security Comparison\u003C\u002Fh4>\n\u003Cp> Feature\u003Cbr \u002F>\n Basic JWT Plugins\u003Cbr \u002F>\n JWT Auth Pro\u003C\u002Fp>\n\u003Cp> Token Lifetime\u003Cbr \u002F>\n Long (hours\u002Fdays)\u003Cbr \u002F>\n Short (1 hour)\u003C\u002Fp>\n\u003Cp> Refresh Tokens\u003Cbr \u002F>\n None\u003Cbr \u002F>\n Secure HTTP-only\u003C\u002Fp>\n\u003Cp> XSS Protection\u003Cbr \u002F>\n Limited\u003Cbr \u002F>\n HTTP-only cookies\u003C\u002Fp>\n\u003Cp> Token Revocation\u003Cbr \u002F>\n Manual only\u003Cbr \u002F>\n Automatic rotation\u003C\u002Fp>\n\u003Cp> Session Management\u003Cbr \u002F>\n None\u003Cbr \u002F>\n Database tracking\u003C\u002Fp>\n\u003Cp> Security Metadata\u003Cbr \u002F>\n None\u003Cbr \u002F>\n IP + User Agent\u003C\u002Fp>\n\u003Ch4>Perfect for:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Single Page Applications (React, Vue, Angular)\u003C\u002Fli>\n\u003Cli>Mobile Applications (iOS, Android)\u003C\u002Fli>\n\u003Cli>API Integrations (Third-party services)\u003C\u002Fli>\n\u003Cli>Headless WordPress (Decoupled architecture)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>API Endpoints\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Ftoken\u003C\u002Fcode> – Login and get access token\u003C\u002Fli>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Frefresh\u003C\u002Fcode> – Refresh access token\u003C\u002Fli>\n\u003Cli>\u003Ccode>GET \u002Fwp-json\u002Fjwt\u002Fv1\u002Fverify\u003C\u002Fcode> – Verify token and get user info\u003C\u002Fli>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Flogout\u003C\u002Fcode> – Logout and revoke refresh token\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Stateless Authentication\u003C\u002Fstrong> – JWT tokens contain all necessary information\u003C\u002Fli>\n\u003Cli>\u003Cstrong>HTTPOnly Cookies\u003C\u002Fstrong> – Refresh tokens stored securely, inaccessible to JavaScript\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Rotation\u003C\u002Fstrong> – Refresh tokens automatically rotate on use\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Expiration\u003C\u002Fstrong> – Set custom expiration times\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & User Agent Tracking\u003C\u002Fstrong> – Additional security metadata\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support and documentation, visit: https:\u002F\u002Fgithub.com\u002Fjuanma-wp\u002Fjwt-auth-pro-wp-rest-api\u003C\u002Fp>\n\u003Ch3>Privacy Policy\u003C\u002Fh3>\n\u003Cp>This plugin stores user session data including IP addresses and user agent strings for security purposes. This data is used solely for authentication and security monitoring.\u003C\u002Fp>\n","Modern JWT authentication with refresh tokens - built for SPAs and mobile apps with enterprise-grade security.",124,"6.8.5","7.4",[21,22,24,114,128],"tokens","https:\u002F\u002Fgithub.com\u002Fjuanma-wp\u002Fjwt-auth-pro-wp-rest-api","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjuanma-jwt-auth-pro.1.2.1.zip","2026-03-15T10:48:56.248Z",{"slug":133,"name":134,"version":135,"author":136,"author_profile":137,"description":138,"short_description":139,"active_installs":28,"downloaded":140,"rating":28,"num_ratings":28,"last_updated":141,"tested_up_to":142,"requires_at_least":143,"requires_php":126,"tags":144,"homepage":147,"download_link":148,"security_score":51,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"simple-jwt-auth","Simple JWT Auth","1.0.2","Sayan Dey","https:\u002F\u002Fprofiles.wordpress.org\u002Fsayandey18\u002F","\u003Cp>Extends the WordPress REST API using JSON Web Tokens for robust authentication and authorization.\u003C\u002Fp>\n\u003Cp>JSON Web Token (JWT) is an open standard (\u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa>) that defines a compact and self-contained way for securely transmitting information between two parties.\u003C\u002Fp>\n\u003Cp>It provides a secure and reliable way to access and manage WordPress data from external applications, making it ideal for building headless CMS solutions.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Support & question: \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fsimple-jwt-auth\u002F\" rel=\"ugc\">WordPress support forum\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Reporting plugin’s bug: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub issues tracker\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Plugins GitHub Repo\u003C\u002Fstrong> https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth\u003C\u002Fp>\n\u003Ch3>Enable PHP HTTP Authorization Header\u003C\u002Fh3>\n\u003Cp>HTTP Authorization is a mechanism that allows clients to provide credentials to servers, thereby gaining access to protected resources. This is typically achieved by sending a special header, the Authorization header, in the HTTP request.\u003C\u002Fp>\n\u003Ch4>Shared Hosts\u003C\u002Fh4>\n\u003Cp>Most shared hosts have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPEngine\u003C\u002Fh4>\n\u003Cp>To enable this option you’ll need to edit your .htaccess file adding the follow:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Cp>Simple JWT Auth plugin needs a \u003Cstrong>Signing Key\u003C\u002Fstrong> to encrypt and decrypt the \u003Cstrong>secret key\u003C\u002Fstrong>, \u003Cstrong>private key\u003C\u002Fstrong>, and \u003Cstrong>public key\u003C\u002Fstrong>. This signing key must be exact 32 charecter long and never be revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>signing key\u003C\u002Fstrong> edit your \u003Ccode>wp-config.php\u003C\u002Fcode> file and add a new constant called \u003Cstrong>SIMPLE_JWT_AUTH_ENCRYPT_KEY\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'SIMPLE_JWT_AUTH_ENCRYPT_KEY', 'your-32-char-signing-key' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Generate a 32 charecter key from here: \u003Ca href=\"https:\u002F\u002Fstring-gen.netlify.app\" rel=\"nofollow ugc\">https:\u002F\u002Fstring-gen.netlify.app\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Here is the sample response if the encryption key is not configured in wp-config.php file.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_bad_encryption_key\",\n \"message\": \"Encryption key is not configured properly.\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fauth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>*\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken | POST\n*\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken\u002Fvalidate | POST\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Requesting\u002FGenerating Token\u003C\u002Fh3>\n\u003Cp>To generate a new token, submit a POST request to this endpoint. With \u003Ccode>username\u003C\u002Fcode> and \u003Ccode>password\u003C\u002Fcode> as the parameters.\u003C\u002Fp>\n\u003Cp>It will validates the user credentials, and returns success response including a token if the authentication is correct or returns an error response if the authentication is failed.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken' \\\n--header 'Content-Type: application\u002Fjson' \\\n--data-raw '{\n \"username\": \"wordpress_username\",\n \"password\": \"wordpress_password\"\n}'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of success response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_auth_credential\",\n \"message\": \"Token created successfully\",\n \"data\": {\n \"status\": 200,\n \"id\": \"2\",\n \"email\": \"sayandey@outlook.com\",\n \"nicename\": \"sayan_dey\",\n \"display_name\": \"Sayan Dey\",\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciO.........\"\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of error response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_username\",\n \"message\": \"Error: The username admin_user is not registered on this site. If you are unsure of your username, try your email address instead.\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you can store it somewhere in your application:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>using \u003Cstrong>Cookie\u003C\u002Fstrong> \u003C\u002Fli>\n\u003Cli>or using \u003Cstrong>localstorage\u003C\u002Fstrong> \u003C\u002Fli>\n\u003Cli>or using a wrapper like \u003Ca href=\"https:\u002F\u002Flocalforage.github.io\u002FlocalForage\u002F\" rel=\"nofollow ugc\">localForage\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fpouchdb.com\u002F\" rel=\"nofollow ugc\">PouchDB\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>or using local database like SQLite\u003C\u002Fli>\n\u003Cli>or your choice based on app you develop\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Then you should pass this token as \u003Cem>Bearer Authentication\u003C\u002Fem> header to every API call.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Authorization: Bearer your-generated-token\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Here is an example to create WordPress post using JWT token authentication.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts' \\\n--header 'Content-Type: application\u002Fjson' \\\n--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO.........' \\\n--data '{\n \"title\": \"Dummy post through API\",\n \"content\": \"Lorem Ipsum is simply dummy text of the printing and typesetting industry.\",\n \"status\": \"publish\",\n \"tags\": [\n 4,\n 5,\n 6\n ]\n}'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Plugin’s middleware intercepts every request to the server, checking for the presence of the \u003Cstrong>Authorization\u003C\u002Fstrong> header. If the header is found, it attempts to decode the JWT token contained within.\u003C\u002Fp>\n\u003Cp>Upon successful decoding, the middleware extracts the user information stored in the token and authenticates the user accordingly, ensuring that only authorized requests are processed.\u003C\u002Fp>\n\u003Ch3>Validating Token\u003C\u002Fh3>\n\u003Cp>This is a helper endpoint to validate a token. You only will need to make a \u003Cstrong>POST\u003C\u002Fstrong> request sending the Bearer Authorization header.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location --request POST 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken\u002Fvalidate' \\\n--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO.........'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of success response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_valid_token\",\n \"message\": \"Token is valid\",\n \"data\": {\n \"status\": 200\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST Errors\u003C\u002Fh3>\n\u003Cp>If the token is invalid an error will be returned, here are some samples of errors.\u003C\u002Fp>\n\u003Ch4>Invalid Username\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_username\",\n \"message\": \"Error: The username admin is not registered on this site. If you are unsure of your username, try your email address instead.\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Password\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_incorrect_password\",\n \"message\": \"Error: The password you entered for the username tiyasha_das is incorrect. Lost your password?\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Signature\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_token\",\n \"message\": \"Signature verification failed\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_token\",\n \"message\": \"Syntax error, malformed JSON\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Expired Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_token\",\n \"message\": \"Expired token\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>No Authorization\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_no_auth_header\",\n \"message\": \"Authorization header not found\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Authorization\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_bad_auth_header\",\n \"message\": \"Authorization header malformed\",\n \"data\": {\n \"status\": 400\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Wrong Algorithm Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_token\",\n \"message\": \"Incorrect key for this algorithm\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Unsupported Algorithm\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_unsupported_algorithm\",\n \"message\": \"Unsupported algorithm see https:\u002F\u002Ftinyurl.com\u002Fuf4ns6fm\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Configuration\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_bad_config\",\n \"message\": \"JWT is not configured properly, please contact the admin\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Encryption Key\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_bad_encryption_key\",\n \"message\": \"Encryption key is not configured properly.\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Encryption Key Length\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_enckey_length\",\n \"message\": \"Encryption key must be exactly 32 characters long\",\n \"data\": {\n \"status\": 400\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Available Hooks\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Simple JWT Auth\u003C\u002Fstrong> is a developer-friendly plugin. It has various filter hooks available to override the default settings.\u003C\u002Fp>\n\u003Ch4>simplejwt_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_cors_allow_headers\u003C\u002Fcode> allows you to modify the available headers when the Cross-Origin Resource Sharing (CORS) support is enabled.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the allowed CORS headers.\n *\n * @param string $headers The allowed headers.\n * @return string The allowed headers.\n *\u002F\nadd_filter(\"simplejwt_cors_allow_headers\", function ($headers) {\n \u002F\u002F Modify the headers here.\n return $headers;\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_auth_iss\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_auth_iss\u003C\u002Fcode> allows you to change the \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7519#section-4.1.1\" rel=\"nofollow ugc\">\u003Cstrong>iss\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>get_bloginfo( 'url' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token issuer.\n *\n * @param string $iss The token issuer.\n * @return string The token issuer.\n *\u002F\nadd_filter(\"simplejwt_auth_iss\", function ($iss) {\n \u002F\u002F Modify the \"iss\" here.\n return $iss;\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_not_before\u003C\u002Fcode> allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's nbf value.\n *\n * @param int $not_before The default \"nbf\" value in timestamp.\n * @param int $issued_at The \"iat\" value in timestamp.\n * @return int The \"nbf\" value.\n *\u002F\nadd_filter(\n \"simplejwt_not_before\",\n function ($not_before, $issued_at) {\n \u002F\u002F Modify the \"not_before\" here.\n return $not_before;\n },\n 10,\n 2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_auth_expire\u003C\u002Fcode> allows you to change the value \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + ( DAY_IN_SECONDS * 7 )\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's expire value.\n *\n * @param int $expire The default \"exp\" value in timestamp.\n * @param int $issued_at The \"iat\" value in timestamp.\n * @return int The \"nbf\" value.\n *\u002F\nadd_filter(\n \"simplejwt_auth_expire\",\n function ($expire, $issued_at) {\n \u002F\u002F Modify the \"expire\" here.\n return $expire;\n },\n 10,\n 2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_payload_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_payload_before_sign\u003C\u002Fcode> allows you to modify all the payload data before being encoded and signed.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$payload = [\n \"iss\" => $this->simplejwt_get_iss(),\n \"iat\" => $issued_at,\n \"nbf\" => $not_before,\n \"exp\" => $expire,\n \"data\" => [\n \"user\" => [\n \"id\" => $user->data->ID,\n ],\n ],\n];\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the payload data before being encoded & signed.\n *\n * @param array $payload The default payload\n * @param WP_User $user The authenticated user.\n * @return array The payloads data.\n *\u002F\nadd_filter(\n \"simplejwt_payload_before_sign\",\n function ($payload, $user) {\n \u002F\u002F Modify the payload here.\n return $payload;\n },\n 10,\n 2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_token_before_dispatch\u003C\u002Fcode> allows you to modify the token response before to dispatch it to the client.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = new WP_REST_Response(\n [\n \"code\" => \"simplejwt_auth_credential\",\n \"message\" => JWTNotice::get_notice(\"auth_credential\"),\n \"data\" => [\n \"status\" => 200,\n \"id\" => $user->data->ID,\n \"email\" => $user->data->user_email,\n \"nicename\" => $user->data->user_nicename,\n \"display_name\" => $user->data->display_name,\n \"token\" => $token,\n ],\n ],\n 200,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the JWT response before dispatch.\n *\n * @param WP_REST_Response $data The token response data.\n * @param WP_User $user The user object for whom the token is being generated.\n * @return WP_REST_Response Modified token response data.\n *\u002F\nadd_filter(\n \"simplejwt_token_before_dispatch\",\n function ($data, $user) {\n \u002F\u002F Modify the response data.\n if ($user instanceof WP_User) {\n }\n return $data;\n },\n 10,\n 2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002F\" rel=\"nofollow ugc\">WordPress REST API\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffirebase\u002Fphp-jwt\" rel=\"nofollow ugc\">php-jwt by Firebase\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens for robust authentication, providing a secure and reliable way to access and manage WordPress data.",750,"2024-11-17T13:30:00.000Z","6.7.5","5.2",[21,145,22,146,24],"json-web-token","jwt-auth","https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-auth.1.0.2.zip",{"attackSurface":150,"codeSignals":209,"taintFlows":220,"riskAssessment":256,"analyzedAt":270},{"hooks":151,"ajaxHandlers":192,"restRoutes":193,"shortcodes":207,"cronEvents":208,"entryPointCount":98,"unprotectedCount":98},[152,158,162,167,171,175,179,184,188],{"type":153,"name":154,"callback":155,"file":156,"line":157},"filter","determine_current_user","determine_current_user_filter","api-bearer-auth.php",46,{"type":153,"name":159,"callback":160,"file":156,"line":161},"rest_authentication_errors","rest_authentication_errors_filter",47,{"type":163,"name":164,"callback":165,"file":156,"line":166},"action","rest_api_init","rest_api_init_action",48,{"type":163,"name":168,"callback":169,"file":156,"line":170},"deleted_user","deleted_user_action",49,{"type":163,"name":172,"callback":173,"file":156,"line":174},"plugins_loaded","admin_plugins_loaded_action",52,{"type":153,"name":176,"callback":177,"file":156,"line":178},"manage_users_columns","manage_users_columns_filter",54,{"type":153,"name":180,"callback":181,"priority":182,"file":156,"line":183},"manage_users_custom_column","manage_users_custom_column_filter",10,55,{"type":153,"name":185,"callback":186,"file":156,"line":187},"bulk_actions-users","bulk_actions_edit_users_filter",56,{"type":153,"name":189,"callback":190,"priority":182,"file":156,"line":191},"handle_bulk_actions-users","handle_bulk_actions_users",57,[],[194,202],{"namespace":195,"route":196,"methods":197,"callback":199,"permissionCallback":200,"file":156,"line":201},"api-bearer-auth\u002Fv1","\u002Flogin",[198],"POST","callback_login","__return_true",239,{"namespace":195,"route":203,"methods":204,"callback":205,"permissionCallback":200,"file":156,"line":206},"\u002Ftokens\u002Frefresh",[198],"callback_refresh_token",253,[],[],{"dangerousFunctions":210,"sqlUsage":211,"outputEscaping":217,"fileOperations":28,"externalRequests":28,"nonceChecks":28,"capabilityChecks":28,"bundledLibraries":219},[],{"prepared":212,"raw":27,"locations":213},11,[214],{"file":156,"line":215,"context":216},126,"$wpdb->query() with variable interpolation",{"escaped":28,"rawEcho":28,"locations":218},[],[],[221,246],{"entryPoint":222,"graph":223,"unsanitizedCount":27,"severity":245},"determine_current_user_filter (api-bearer-auth.php:134)",{"nodes":224,"edges":241},[225,230,234],{"id":226,"type":227,"label":228,"file":156,"line":229},"n0","source","$_SERVER",162,{"id":231,"type":232,"label":233,"file":156,"line":229},"n1","transform","→ get_user_id_from_access_token()",{"id":235,"type":236,"label":237,"file":238,"line":239,"wp_function":240},"n2","sink","get_var() [SQLi]","db.php",19,"get_var",[242,244],{"from":226,"to":231,"sanitized":243},false,{"from":231,"to":235,"sanitized":243},"high",{"entryPoint":247,"graph":248,"unsanitizedCount":27,"severity":245},"\u003Capi-bearer-auth> (api-bearer-auth.php:0)",{"nodes":249,"edges":253},[250,251,252],{"id":226,"type":227,"label":228,"file":156,"line":229},{"id":231,"type":232,"label":233,"file":156,"line":229},{"id":235,"type":236,"label":237,"file":238,"line":239,"wp_function":240},[254,255],{"from":226,"to":231,"sanitized":243},{"from":231,"to":235,"sanitized":243},{"summary":257,"deductions":258},"The \"api-bearer-auth\" v20200916 plugin exhibits a concerning security posture despite some positive indicators. While it avoids dangerous functions, file operations, and external HTTP requests, and demonstrates good practices with prepared SQL statements and output escaping, the critical findings in the static analysis are significant. The presence of two unprotected REST API routes creates a substantial attack surface, and the taint analysis revealing two flows with unsanitized paths in REST API routes, classified as high severity, directly points to potential vulnerabilities such as Cross-Site Scripting (XSS) or other injection attacks if not properly handled by the application consuming the API.\n\nThe vulnerability history shows one known medium severity CVE related to XSS, which aligns with the taint analysis findings. The fact that this vulnerability is currently patched is a positive sign, but the pattern of past XSS issues highlights a recurring weakness. The complete lack of nonce and capability checks on the identified entry points is a major oversight. In conclusion, while the plugin demonstrates good practices in certain areas, the unprotected REST API routes, unsanitized taint flows, and past XSS vulnerabilities present a significant risk that requires immediate attention and remediation.",[259,261,263,266,268],{"reason":260,"points":182},"REST API routes without permission callbacks",{"reason":262,"points":182},"Taint flows with unsanitized paths (high severity)",{"reason":264,"points":265},"No nonce checks on entry points",5,{"reason":267,"points":265},"No capability checks on entry points",{"reason":269,"points":182},"Known medium severity CVE (historical)","2026-03-16T20:06:10.279Z",{"wat":272,"direct":281},{"assetPaths":273,"generatorPatterns":276,"scriptPaths":277,"versionParams":278},[274,275],"\u002Fwp-content\u002Fplugins\u002Fapi-bearer-auth\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fapi-bearer-auth\u002Fjs\u002Fscript.js",[],[275],[279,280],"api-bearer-auth\u002Fcss\u002Fstyle.css?ver=","api-bearer-auth\u002Fjs\u002Fscript.js?ver=",{"cssClasses":282,"htmlComments":283,"htmlAttributes":286,"restEndpoints":287,"jsGlobals":290,"shortcodeOutput":291},[],[284,285],"\u003C!-- Make sure to add the lines below to .htaccess\n otherwise Apache may strip out the auth header.\n RewriteCond %{HTTP:Authorization} ^(.*)\n RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1] -->","\u003C!-- Filter: api_bearer_auth_unauthenticated_urls\n Add URLs that should be avialble to unauthenticated users.\n Specify only the part after the site url, e.g. \u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\n Each URL will be prepended by the value of get_site_url()\n And each resulting URL will be put in between ^ and $ regular expression signs. -->",[],[288,289],"\u002Fwp-json\u002Fapi-bearer-auth\u002Fv1\u002Flogin\u002F?","\u002Fwp-json\u002Fapi-bearer-auth\u002Fv1\u002Ftokens\u002Frefresh\u002F?",[],[]]