[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6dUcLgZDhvI_CxqxQbuD1CvyrYsmcy0ofViQK5aTAto":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":38,"analysis":136,"fingerprints":165},"disable-rest-api-and-require-jwt-oauth-authentication","Disable REST API and Require JWT \u002F OAuth Authentication","1.0","Benjamin Intal","https:\u002F\u002Fprofiles.wordpress.org\u002Fbfintal\u002F","\u003Cp>\u003Cstrong>When you activate this plugin, all REST API endpoints will be disabled for non-authorized requests.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Best used with any of these plugins:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjwt-authentication-for-wp-rest-api\u002F\" rel=\"ugc\">JWT Authentication for WP REST API\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Foauth2-provider\u002F\" rel=\"ugc\">WP OAuth Server\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Blocks \u003Cem>ALL\u003C\u002Fem> REST API endpoints except for:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fli>\n\u003Cli>\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fli>\n\u003Cli>\u002Foauth\u002Fauthorize\u003C\u002Fli>\n\u003Cli>\u002Foauth\u002Ftoken\u003C\u002Fli>\n\u003Cli>\u002Foauth\u002Fme\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Allows all REST API endpoints if they come with a valid \u003Cstrong>Bearer Token Authentication\u003C\u002Fstrong> (authentication via GET URL variables are still blocked)\u003C\u002Fp>\n\u003Cp>When used alone in your site, your REST API will essentially be disabled.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Note that this plugin itself doesn’t provide JWT or OAuth authentication, it only whitelists them.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>No settings page\u003C\u002Fli>\n\u003Cli>You can whitelist other REST API endpoint via a filter hook (see FAQs below)\u003C\u002Fli>\n\u003Cli>Blocks all REST API endpoints.. but\u003C\u002Fli>\n\u003Cli>Allows requests with Bearer Token Authentication.. and\u003C\u002Fli>\n\u003Cli>Allows \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjwt-authentication-for-wp-rest-api\u002F\" rel=\"ugc\">JWT Authentication for WP REST API\u003C\u002Fa> & \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Foauth2-provider\u002F\" rel=\"ugc\">WP OAuth Server\u003C\u002Fa> authentication endpoints\u003C\u002Fli>\n\u003C\u002Ful>\n","Disables all REST API endpoints and requires JWT or OAuth Authentication.",60,9936,0,"2017-09-26T09:57:00.000Z","4.8.28","4.4","5.2",[19,20,21,22,23],"api","json","rest","rest-api","web","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fdisable-rest-api-and-require-jwt-oauth-authentication\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-rest-api-and-require-jwt-oauth-authentication.1.0.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":33,"avg_security_score":34,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"bfintal",10,110410,89,21,86,"2026-04-04T05:32:51.399Z",[39,63,79,98,118],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":47,"downloaded":48,"rating":49,"num_ratings":50,"last_updated":51,"tested_up_to":52,"requires_at_least":53,"requires_php":54,"tags":55,"homepage":60,"download_link":61,"security_score":62,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"jwt-authentication-for-wp-rest-api","JWT Authentication for WP REST API","1.5.0","tmeister","https:\u002F\u002Fprofiles.wordpress.org\u002Ftmeister\u002F","\u003Cp>This plugin seamlessly extends the WP REST API, enabling robust and secure authentication using JSON Web Tokens (JWT). It provides a straightforward way to authenticate users via the REST API, returning a standard JWT upon successful login.\u003C\u002Fp>\n\u003Ch3>Key features of this free version include:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication:\u003C\u002Fstrong> Implements the industry-standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa> for secure claims representation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple Endpoints:\u003C\u002Fstrong> Offers clear \u003Ccode>\u002Ftoken\u003C\u002Fcode> and \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode> endpoints for generating and validating tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Secret Key:\u003C\u002Fstrong> Define your unique secret key via \u003Ccode>wp-config.php\u003C\u002Fcode> for secure token signing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optional CORS Support:\u003C\u002Fstrong> Easily enable Cross-Origin Resource Sharing support via a \u003Ccode>wp-config.php\u003C\u002Fcode> constant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Hooks:\u003C\u002Fstrong> Provides filters (\u003Ccode>jwt_auth_expire\u003C\u002Fcode>, \u003Ccode>jwt_auth_token_before_sign\u003C\u002Fcode>, etc.) for customizing token behavior.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.\u003C\u002Fp>\n\u003Cp>For users requiring more advanced capabilities such as multiple signing algorithms (RS256, ES256), token refresh\u002Frevocation, UI-based configuration, or priority support, consider checking out \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_link_soft\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Support and Requests:\u003C\u002Fstrong> Please use \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub Issues\u003C\u002Fa>. For priority support, consider upgrading to \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_support_link\" rel=\"nofollow ugc\">PRO\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>REQUIREMENTS\u003C\u002Fh3>\n\u003Ch4>WP REST API V2\u003C\u002Fh4>\n\u003Cp>This plugin was conceived to extend the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API V2\u003C\u002Fa> plugin features and, of course, was built on top of it.\u003C\u002Fp>\n\u003Cp>So, to use the \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> you need to install and activate \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>PHP\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Minimum PHP version: 7.4.0\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>PHP HTTP Authorization Header Enable\u003C\u002Fh3>\n\u003Cp>Most shared hosting providers have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPENGINE\u003C\u002Fh4>\n\u003Cp>For WPEngine hosting, you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>See https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1 for more details.\u003C\u002Fp>\n\u003Ch3>CONFIGURATION\u003C\u002Fh3>\n\u003Ch3>Configure the Secret Key\u003C\u002Fh3>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a secure key from: https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Looking for easier configuration?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=config_secret_key_link\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to manage all settings through a simple admin UI.\u003C\u002Fp>\n\u003Ch3>Configure CORS Support\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORS\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable CORS Support, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Finally, activate the plugin within your wp-admin.\u003C\u002Fp>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace:\u003C\u002Fp>\n\u003Cp>Endpoint | HTTP Verb\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fem> | POST\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need more functionality?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=endpoints_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> includes additional endpoints for token refresh and revocation.\u003C\u002Fp>\n\u003Ch3>USAGE\u003C\u002Fh3>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fh4>\n\u003Cp>This is the entry point for JWT Authentication.\u003C\u002Fp>\n\u003Cp>It validates the user credentials, \u003Cem>username\u003C\u002Fem> and \u003Cem>password\u003C\u002Fem>, and returns a token to use in future requests to the API if the authentication is correct, or an error if authentication fails.\u003C\u002Fp>\n\u003Cp>Sample Request Using AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>(function() {\n  var app = angular.module('jwtAuth', []);\n\n  app.controller('MainController', function($scope, $http) {\n    var apiHost = 'http:\u002F\u002Fyourdomain.com\u002Fwp-json';\n\n    $http.post(apiHost + '\u002Fjwt-auth\u002Fv1\u002Ftoken', {\n      username: 'admin',\n      password: 'password'\n    })\n    .then(function(response) {\n      console.log(response.data)\n    })\n    .catch(function(error) {\n      console.error('Error', error.data[0]);\n    });\n  });\n})();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Success Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9qd3QuZGV2IiwiaWF0IjoxNDM4NTcxMDUwLCJuYmYiOjE0Mzg1NzEwNTAsImV4cCI6MTQzOTE3NTg1MCwiZGF0YSI6eyJ1c2VyIjp7ImlkIjoiMSJ9fX0.YNe6AyWW4B7ZwfFE5wJ0O6qQ8QFcYizimDmBy6hCH_8\",\n  \"user_display_name\": \"admin\",\n  \"user_email\": \"admin@localhost.dev\",\n  \"user_nicename\": \"admin\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Error Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_failed\",\n  \"data\": {\n    \"status\": 403\n  },\n  \"message\": \"Invalid Credentials.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application, e.g., in a \u003Cstrong>cookie\u003C\u002Fstrong> or using \u003Cstrong>localStorage\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>From this point, you should pass this token with every API call.\u003C\u002Fp>\n\u003Cp>Sample Call Using The Authorization Header With AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>app.config(function($httpProvider) {\n  $httpProvider.interceptors.push(['$q', '$location', '$cookies', function($q, $location, $cookies) {\n    return {\n      'request': function(config) {\n        config.headers = config.headers || {};\n        \u002F\u002F Assume that you store the token in a cookie\n        var globals = $cookies.getObject('globals') || {};\n        \u002F\u002F If the cookie has the CurrentUser and the token\n        \u002F\u002F add the Authorization header in each request\n        if (globals.currentUser && globals.currentUser.token) {\n          config.headers.Authorization = 'Bearer ' + globals.currentUser.token;\n        }\n        return config;\n      }\n    };\n  }]);\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin will intercept every call to the server and will look for the Authorization Header. If the Authorization header is present, it will try to decode the token and will set the user according to the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as normal.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Sample Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fresource HTTP\u002F1.1\nHost: server.example.com\nAuthorization: Bearer mF_s9.B5f-4.1JqM\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>ERRORS\u003C\u002Fh3>\n\u003Cp>If the token is invalid, an error will be returned. Here are some sample errors:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Invalid Credentials\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_failed\",\n    \"message\": \"Invalid Credentials.\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Invalid Signature\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Signature verification failed\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Expired Token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Expired token\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Need advanced error tracking?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=errors_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> offers enhanced error tracking and monitoring capabilities.\u003C\u002Fp>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fh4>\n\u003Cp>This is a simple helper endpoint to validate a token. You only need to make a POST request with the Authorization header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Valid Token Response\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_valid_token\",\n  \"data\": {\n    \"status\": 200\n  }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>AVAILABLE HOOKS\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin is developer-friendly and provides five filters to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_cors_allow_headers\u003C\u002Fstrong> filter allows you to modify the available headers when CORS support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_not_before\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Creation time - time()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_expire\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_token_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_sign\u003C\u002Fstrong> filter allows you to modify all token data before it is encoded and signed.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = array(\n    'iss' => get_bloginfo('url'),\n    'iat' => $issuedAt,\n    'nbf' => $notBefore,\n    'exp' => $expire,\n    'data' => array(\n        'user' => array(\n            'id' => $user->data->ID,\n        )\n    )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Want easier customization?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=hook_payload_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to add custom claims directly through the admin UI.\u003C\u002Fp>\n\u003Ch4>jwt_auth_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_dispatch\u003C\u002Fstrong> filter allows you to modify the response array before it is sent to the client.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = array(\n    'token' => $token,\n    'user_email' => $user->data->user_email,\n    'user_nicename' => $user->data->user_nicename,\n    'user_display_name' => $user->data->display_name,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_algorithm\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_algorithm\u003C\u002Fstrong> filter allows you to modify the signing algorithm.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = JWT::encode(\n    apply_filters('jwt_auth_token_before_sign', $token, $user),\n    $secret_key,\n    apply_filters('jwt_auth_algorithm', 'HS256')\n);\n\n\u002F\u002F ...\n\n$token = JWT::decode(\n    $token,\n    new Key($secret_key, apply_filters('jwt_auth_algorithm', 'HS256'))\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>JWT Authentication PRO\u003C\u002Fh3>\n\u003Cp>Elevate your WordPress security and integration capabilities with \u003Cstrong>JWT Authentication PRO\u003C\u002Fstrong>. Building upon the solid foundation of the free version, the PRO version offers advanced features, enhanced security options, and a streamlined user experience:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Configuration UI:\u003C\u002Fstrong> Manage all settings directly from the WordPress admin area.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Endpoint:\u003C\u002Fstrong> Allow users to refresh expired tokens seamlessly without requiring re-login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation Endpoint:\u003C\u002Fstrong> Immediately invalidate specific tokens for enhanced security control.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Token Payload:\u003C\u002Fstrong> Add custom claims to your JWT payload to suit your specific application needs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular CORS Control:\u003C\u002Fstrong> Define allowed origins and headers with more precision directly in the settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Protect your endpoints from abuse with configurable rate limits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Audit Logs:\u003C\u002Fstrong> Keep track of token generation, validation, and errors.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Priority Support:\u003C\u002Fstrong> Get faster, dedicated support directly from the developer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=pro_section_cta\" rel=\"nofollow ugc\">Upgrade to JWT Authentication PRO Today!\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Free vs. PRO Comparison\u003C\u002Fh3>\n\u003Cp>Here’s a quick look at the key differences:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Basic JWT Authentication:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Generation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Validation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Mechanism:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Management Dashboard:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Analytics & Monitoring:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geo-IP Identification:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Documentation:\u003C\u002Fstrong> Basic (Free), Comprehensive (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Tools:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support:\u003C\u002Fstrong> Community via GitHub (Free), Priority Direct Support (PRO)\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.",60000,893830,88,53,"2026-02-18T00:58:00.000Z","6.9.4","4.2","7.4.0",[56,57,58,22,59],"json-web-authentication","jwt","oauth","wp-api","https:\u002F\u002Fenriquechavez.co","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authentication-for-wp-rest-api.1.5.0.zip",100,{"slug":64,"name":65,"version":6,"author":66,"author_profile":67,"description":68,"short_description":69,"active_installs":32,"downloaded":70,"rating":13,"num_ratings":13,"last_updated":71,"tested_up_to":15,"requires_at_least":16,"requires_php":71,"tags":72,"homepage":76,"download_link":77,"security_score":62,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":78},"json-rest-api-subscriptions","JSON REST API Subscriptions","Taylor Lovett","https:\u002F\u002Fprofiles.wordpress.org\u002Ftlovett1\u002F","\u003Cp>If you are publishing content and have users\u002Fwebsites digesting your content, you may have been faced with the problem: how do I get updates to users immediately? In the past users\u002Fwebsites have subscribed to feeds or used techniques like “polling” to constantly ping your site for new content. Both these techniques are cumbersome and old fashioned. JSON REST API Subscriptions creates new API endpoints to allow people to subscribe to new content, content updates, and content deletes across general post types as well as single pieces of content.\u003C\u002Fp>\n\u003Cp>Requires \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Frest-api\u002F\" rel=\"ugc\">JSON REST API 2.0beta12+\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>For details on the plugin and extended usage\u002Finstallation documentation, please visit \u003Ca href=\"http:\u002F\u002Fgithub.com\u002Ftlovett1\u002Fjson-rest-api-subscriptions\" rel=\"nofollow ugc\">Github\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Configuring and Using the Plugin\u003C\u002Fh3>\n\u003Cp>Please refer to \u003Ca href=\"http:\u002F\u002Fgithub.com\u002Ftlovett1\u002Fjson-rest-api-subscriptions\" rel=\"nofollow ugc\">Github\u003C\u002Fa> for detailed configuration instructions.\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For full documentation, questions, feature requests, and support concerning JSON REST API Subscriptions, please refer to \u003Ca href=\"http:\u002F\u002Fgithub.com\u002Ftlovett1\u002Fjson-rest-api-subscriptions\" rel=\"nofollow ugc\">Github\u003C\u002Fa>.\u003C\u002Fp>\n","Enable subscriptions to posts, pages, and custom post types. Users can securely subscribe via simple API routes to created\u002Fupdated\u002Fdeleted content.",2671,"",[73,74,22,75,59],"api-webhooks","json-rest-api","webhooks","http:\u002F\u002Fwww.taylorlovett.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjson-rest-api-subscriptions.zip","2026-03-15T10:48:56.248Z",{"slug":80,"name":81,"version":82,"author":83,"author_profile":84,"description":85,"short_description":86,"active_installs":13,"downloaded":87,"rating":13,"num_ratings":13,"last_updated":88,"tested_up_to":89,"requires_at_least":17,"requires_php":90,"tags":91,"homepage":95,"download_link":96,"security_score":97,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"simple-jwt-auth","Simple JWT Auth","1.0.2","Sayan Dey","https:\u002F\u002Fprofiles.wordpress.org\u002Fsayandey18\u002F","\u003Cp>Extends the WordPress REST API using JSON Web Tokens for robust authentication and authorization.\u003C\u002Fp>\n\u003Cp>JSON Web Token (JWT) is an open standard (\u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa>) that defines a compact and self-contained way for securely transmitting information between two parties.\u003C\u002Fp>\n\u003Cp>It provides a secure and reliable way to access and manage WordPress data from external applications, making it ideal for building headless CMS solutions.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Support & question: \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fsimple-jwt-auth\u002F\" rel=\"ugc\">WordPress support forum\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Reporting plugin’s bug: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub issues tracker\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Plugins GitHub Repo\u003C\u002Fstrong> https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth\u003C\u002Fp>\n\u003Ch3>Enable PHP HTTP Authorization Header\u003C\u002Fh3>\n\u003Cp>HTTP Authorization is a mechanism that allows clients to provide credentials to servers, thereby gaining access to protected resources. This is typically achieved by sending a special header, the Authorization header, in the HTTP request.\u003C\u002Fp>\n\u003Ch4>Shared Hosts\u003C\u002Fh4>\n\u003Cp>Most shared hosts have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPEngine\u003C\u002Fh4>\n\u003Cp>To enable this option you’ll need to edit your .htaccess file adding the follow:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Cp>Simple JWT Auth plugin needs a \u003Cstrong>Signing Key\u003C\u002Fstrong> to encrypt and decrypt the \u003Cstrong>secret key\u003C\u002Fstrong>, \u003Cstrong>private key\u003C\u002Fstrong>, and \u003Cstrong>public key\u003C\u002Fstrong>. This signing key must be exact 32 charecter long and never be revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>signing key\u003C\u002Fstrong> edit your \u003Ccode>wp-config.php\u003C\u002Fcode> file and add a new constant called \u003Cstrong>SIMPLE_JWT_AUTH_ENCRYPT_KEY\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'SIMPLE_JWT_AUTH_ENCRYPT_KEY', 'your-32-char-signing-key' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Generate a 32 charecter key from here: \u003Ca href=\"https:\u002F\u002Fstring-gen.netlify.app\" rel=\"nofollow ugc\">https:\u002F\u002Fstring-gen.netlify.app\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Here is the sample response if the encryption key is not configured in wp-config.php file.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_bad_encryption_key\",\n    \"message\": \"Encryption key is not configured properly.\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fauth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>*\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken          | POST\n*\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken\u002Fvalidate | POST\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Requesting\u002FGenerating Token\u003C\u002Fh3>\n\u003Cp>To generate a new token, submit a POST request to this endpoint. With \u003Ccode>username\u003C\u002Fcode> and \u003Ccode>password\u003C\u002Fcode> as the parameters.\u003C\u002Fp>\n\u003Cp>It will validates the user credentials, and returns success response including a token if the authentication is correct or returns an error response if the authentication is failed.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken' \\\n--header 'Content-Type: application\u002Fjson' \\\n--data-raw '{\n    \"username\": \"wordpress_username\",\n    \"password\": \"wordpress_password\"\n}'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of success response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_auth_credential\",\n    \"message\": \"Token created successfully\",\n    \"data\": {\n        \"status\": 200,\n        \"id\": \"2\",\n        \"email\": \"sayandey@outlook.com\",\n        \"nicename\": \"sayan_dey\",\n        \"display_name\": \"Sayan Dey\",\n        \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciO.........\"\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of error response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_username\",\n    \"message\": \"Error: The username admin_user is not registered on this site. If you are unsure of your username, try your email address instead.\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you can store it somewhere in your application:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>using \u003Cstrong>Cookie\u003C\u002Fstrong> \u003C\u002Fli>\n\u003Cli>or using \u003Cstrong>localstorage\u003C\u002Fstrong> \u003C\u002Fli>\n\u003Cli>or using a wrapper like \u003Ca href=\"https:\u002F\u002Flocalforage.github.io\u002FlocalForage\u002F\" rel=\"nofollow ugc\">localForage\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fpouchdb.com\u002F\" rel=\"nofollow ugc\">PouchDB\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>or using local database like SQLite\u003C\u002Fli>\n\u003Cli>or your choice based on app you develop\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Then you should pass this token as \u003Cem>Bearer Authentication\u003C\u002Fem> header to every API call.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Authorization: Bearer your-generated-token\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Here is an example to create WordPress post using JWT token authentication.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts' \\\n--header 'Content-Type: application\u002Fjson' \\\n--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO.........' \\\n--data '{\n    \"title\": \"Dummy post through API\",\n    \"content\": \"Lorem Ipsum is simply dummy text of the printing and typesetting industry.\",\n    \"status\": \"publish\",\n    \"tags\": [\n        4,\n        5,\n        6\n    ]\n}'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Plugin’s middleware intercepts every request to the server, checking for the presence of the \u003Cstrong>Authorization\u003C\u002Fstrong> header. If the header is found, it attempts to decode the JWT token contained within.\u003C\u002Fp>\n\u003Cp>Upon successful decoding, the middleware extracts the user information stored in the token and authenticates the user accordingly, ensuring that only authorized requests are processed.\u003C\u002Fp>\n\u003Ch3>Validating Token\u003C\u002Fh3>\n\u003Cp>This is a helper endpoint to validate a token. You only will need to make a \u003Cstrong>POST\u003C\u002Fstrong> request sending the Bearer Authorization header.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location --request POST 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken\u002Fvalidate' \\\n--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO.........'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of success response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_valid_token\",\n    \"message\": \"Token is valid\",\n    \"data\": {\n        \"status\": 200\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST Errors\u003C\u002Fh3>\n\u003Cp>If the token is invalid an error will be returned, here are some samples of errors.\u003C\u002Fp>\n\u003Ch4>Invalid Username\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_username\",\n    \"message\": \"Error: The username admin is not registered on this site. If you are unsure of your username, try your email address instead.\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Password\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_incorrect_password\",\n    \"message\": \"Error: The password you entered for the username tiyasha_das is incorrect. Lost your password?\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Signature\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_token\",\n    \"message\": \"Signature verification failed\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_token\",\n    \"message\": \"Syntax error, malformed JSON\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Expired Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_token\",\n    \"message\": \"Expired token\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>No Authorization\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_no_auth_header\",\n    \"message\": \"Authorization header not found\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Authorization\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_bad_auth_header\",\n    \"message\": \"Authorization header malformed\",\n    \"data\": {\n        \"status\": 400\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Wrong Algorithm Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_token\",\n    \"message\": \"Incorrect key for this algorithm\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Unsupported Algorithm\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_unsupported_algorithm\",\n    \"message\": \"Unsupported algorithm see https:\u002F\u002Ftinyurl.com\u002Fuf4ns6fm\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Configuration\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_bad_config\",\n    \"message\": \"JWT is not configured properly, please contact the admin\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Encryption Key\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_bad_encryption_key\",\n    \"message\": \"Encryption key is not configured properly.\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Encryption Key Length\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_enckey_length\",\n    \"message\": \"Encryption key must be exactly 32 characters long\",\n    \"data\": {\n        \"status\": 400\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Available Hooks\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Simple JWT Auth\u003C\u002Fstrong> is a developer-friendly plugin. It has various filter hooks available to override the default settings.\u003C\u002Fp>\n\u003Ch4>simplejwt_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_cors_allow_headers\u003C\u002Fcode> allows you to modify the available headers when the Cross-Origin Resource Sharing (CORS) support is enabled.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the allowed CORS headers.\n *\n * @param   string $headers The allowed headers.\n * @return  string The allowed headers.\n *\u002F\nadd_filter(\"simplejwt_cors_allow_headers\", function ($headers) {\n    \u002F\u002F Modify the headers here.\n    return $headers;\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_auth_iss\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_auth_iss\u003C\u002Fcode> allows you to change the \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7519#section-4.1.1\" rel=\"nofollow ugc\">\u003Cstrong>iss\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>get_bloginfo( 'url' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token issuer.\n *\n * @param   string $iss The token issuer.\n * @return  string The token issuer.\n *\u002F\nadd_filter(\"simplejwt_auth_iss\", function ($iss) {\n    \u002F\u002F Modify the \"iss\" here.\n    return $iss;\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_not_before\u003C\u002Fcode> allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's nbf value.\n *\n * @param   int $not_before The default \"nbf\" value in timestamp.\n * @param   int $issued_at The \"iat\" value in timestamp.\n * @return  int The \"nbf\" value.\n *\u002F\nadd_filter(\n    \"simplejwt_not_before\",\n    function ($not_before, $issued_at) {\n        \u002F\u002F Modify the \"not_before\" here.\n        return $not_before;\n    },\n    10,\n    2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_auth_expire\u003C\u002Fcode> allows you to change the value \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + ( DAY_IN_SECONDS * 7 )\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's expire value.\n *\n * @param   int $expire The default \"exp\" value in timestamp.\n * @param   int $issued_at The \"iat\" value in timestamp.\n * @return  int The \"nbf\" value.\n *\u002F\nadd_filter(\n    \"simplejwt_auth_expire\",\n    function ($expire, $issued_at) {\n        \u002F\u002F Modify the \"expire\" here.\n        return $expire;\n    },\n    10,\n    2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_payload_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_payload_before_sign\u003C\u002Fcode> allows you to modify all the payload data before being encoded and signed.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$payload = [\n    \"iss\" => $this->simplejwt_get_iss(),\n    \"iat\" => $issued_at,\n    \"nbf\" => $not_before,\n    \"exp\" => $expire,\n    \"data\" => [\n        \"user\" => [\n            \"id\" => $user->data->ID,\n        ],\n    ],\n];\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the payload data before being encoded & signed.\n *\n * @param   array $payload The default payload\n * @param   WP_User $user The authenticated user.\n * @return  array The payloads data.\n *\u002F\nadd_filter(\n    \"simplejwt_payload_before_sign\",\n    function ($payload, $user) {\n        \u002F\u002F Modify the payload here.\n        return $payload;\n    },\n    10,\n    2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_token_before_dispatch\u003C\u002Fcode> allows you to modify the token response before to dispatch it to the client.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = new WP_REST_Response(\n    [\n        \"code\" => \"simplejwt_auth_credential\",\n        \"message\" => JWTNotice::get_notice(\"auth_credential\"),\n        \"data\" => [\n            \"status\" => 200,\n            \"id\" => $user->data->ID,\n            \"email\" => $user->data->user_email,\n            \"nicename\" => $user->data->user_nicename,\n            \"display_name\" => $user->data->display_name,\n            \"token\" => $token,\n        ],\n    ],\n    200,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the JWT response before dispatch.\n *\n * @param   WP_REST_Response $data The token response data.\n * @param   WP_User $user The user object for whom the token is being generated.\n * @return  WP_REST_Response Modified token response data.\n *\u002F\nadd_filter(\n    \"simplejwt_token_before_dispatch\",\n    function ($data, $user) {\n        \u002F\u002F Modify the response data.\n        if ($user instanceof WP_User) {\n        }\n        return $data;\n    },\n    10,\n    2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002F\" rel=\"nofollow ugc\">WordPress REST API\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffirebase\u002Fphp-jwt\" rel=\"nofollow ugc\">php-jwt by Firebase\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens for robust authentication, providing a secure and reliable way to access and manage WordPress data.",750,"2024-11-17T13:30:00.000Z","6.7.5","7.4",[92,93,57,94,22],"authentication","json-web-token","jwt-auth","https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-auth.1.0.2.zip",92,{"slug":99,"name":100,"version":101,"author":102,"author_profile":103,"description":104,"short_description":105,"active_installs":106,"downloaded":107,"rating":108,"num_ratings":109,"last_updated":110,"tested_up_to":111,"requires_at_least":112,"requires_php":113,"tags":114,"homepage":116,"download_link":117,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"disable-json-api","Disable REST API","1.8","Dave McHale","https:\u002F\u002Fprofiles.wordpress.org\u002Fdmchale\u002F","\u003Cp>The most comprehensive plugin for controlling access to the WordPress REST API!\u003C\u002Fp>\n\u003Cp>Works as a “set it and forget it” install. Just upload and activate, and the entire REST API will be inaccessible to your general site visitors.\u003C\u002Fp>\n\u003Cp>But if you do need to grant access to some endpoints, you can do that too. Go to the Settings page and you can quickly whitelist individual endpoints (or entire branches of endpoints) in the REST API.\u003C\u002Fp>\n\u003Cp>You can even do this on a per-user-role basis, so your unauthenticated users have one set of rules while WooCommerce customers have another while Subscribers and Editors and Admins all have their own. NOTE: Out of the box, all defined user roles will still be granted full access to the REST API until you choose to manage those settings.\u003C\u002Fp>\n\u003Cp>For most versions of WordPress, this plugin will return an authentication error if a user is not allowed to access an endpoint. For legacy support, WordPress 4.4, 4.5, and 4.6 use the provided \u003Ccode>rest_enabled\u003C\u002Fcode> filter to disable the entire REST API.\u003C\u002Fp>\n","Disable the use of the REST API on your website to site users. Now with User Role support!",90000,753897,96,38,"2023-09-14T00:26:00.000Z","6.3.8","4.9","5.6",[115,19,20,21,22],"admin","http:\u002F\u002Fwww.binarytemplar.com\u002Fdisable-json-api","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-json-api.zip",{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":126,"downloaded":127,"rating":108,"num_ratings":128,"last_updated":129,"tested_up_to":52,"requires_at_least":130,"requires_php":131,"tags":132,"homepage":134,"download_link":135,"security_score":62,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"disable-wp-rest-api","Disable WP REST API","2.6.7","Jeff Starr","https:\u002F\u002Fprofiles.wordpress.org\u002Fspecialk\u002F","\u003Cp>\u003Cstrong>Does one thing:\u003C\u002Fstrong> Completely disables the WordPress REST API for visitors who are not logged into WordPress. No configuration required.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Important:\u003C\u002Fstrong> This plugin completely disables the WP REST API for visitors who are NOT logged in to WordPress. So not recommended if your site needs the WP REST API for any non-logged users.\u003C\u002Fp>\n\u003Cp>👉 The fast, simple way to prevent abuse of your site’s REST\u002FJSON API\u003Cbr \u002F>\n👉 Protects your site’s REST data from all non-logged users and bots\u003Cbr \u002F>\n👉 Uses only 4KB of code, so super lightweight, fast, and effective\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Disable REST\u002FJSON for visitors (not logged in)\u003C\u002Fli>\n\u003Cli>Disables REST header in HTTP response for all users\u003C\u002Fli>\n\u003Cli>Disables REST links in HTML head for all users\u003C\u002Fli>\n\u003Cli>100% plug-and-play, set-it-and-forget solution\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>How does it work?\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>This plugin completely disables the WP REST API \u003Cem>unless\u003C\u002Fem> the user is logged into WordPress.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>For logged-in users, WP REST API works normally\u003C\u002Fli>\n\u003Cli>For logged-out users, WP REST API is disabled\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>What happens if logged-out visitor makes a JSON\u002FREST request? They will get only a simple message:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>rest_login_required: REST API restricted to authenticated users.\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>This message may customized via the filter hook, \u003Ccode>disable_wp_rest_api_error\u003C\u002Fcode>. Check out \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Ftopic\u002Fnot-entirely-for-non-techies\u002F#post-12014965\" rel=\"ugc\">this post\u003C\u002Fa> for an example of how to do it.\u003C\u002Fp>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin does not collect or store any user data. It does not set any cookies, and it does not connect to any third-party locations. Thus, this plugin does not affect user privacy in any way. If anything it \u003Cem>improves\u003C\u002Fem> user privacy, as it protects potentially sensitive information from being displayed\u002Faccessed via REST API.\u003C\u002Fp>\n\u003Cp>Disable WP REST API is developed and maintained by \u003Ca href=\"https:\u002F\u002Fx.com\u002Fperishable\" rel=\"nofollow ugc\">Jeff Starr\u003C\u002Fa>, 15-year \u003Ca href=\"https:\u002F\u002Fplugin-planet.com\u002F\" rel=\"nofollow ugc\">WordPress developer\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fbooks.perishablepress.com\u002F\" rel=\"nofollow ugc\">book author\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Support development of this plugin\u003C\u002Fh3>\n\u003Cp>I develop and maintain this free plugin with love for the WordPress community. To show support, you can \u003Ca href=\"https:\u002F\u002Fmonzillamedia.com\u002Fdonate.html\" rel=\"nofollow ugc\">make a donation\u003C\u002Fa> or purchase one of my books:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwp-tao.com\u002F\" rel=\"nofollow ugc\">The Tao of WordPress\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdigwp.com\u002F\" rel=\"nofollow ugc\">Digging into WordPress\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fhtaccessbook.com\u002F\" rel=\"nofollow ugc\">.htaccess made easy\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwp-tao.com\u002Fwordpress-themes-book\u002F\" rel=\"nofollow ugc\">WordPress Themes In Depth\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fbooks.perishablepress.com\u002Fdownloads\u002Fwizards-collection-sql-recipes-wordpress\u002F\" rel=\"nofollow ugc\">Wizard’s SQL Recipes for WordPress\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>And\u002For purchase one of my premium WordPress plugins:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugin-planet.com\u002Fbbq-pro\u002F\" rel=\"nofollow ugc\">BBQ Pro\u003C\u002Fa> – Blazing fast WordPress firewall\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugin-planet.com\u002Fblackhole-pro\u002F\" rel=\"nofollow ugc\">Blackhole Pro\u003C\u002Fa> – Automatically block bad bots\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugin-planet.com\u002Fbanhammer-pro\u002F\" rel=\"nofollow ugc\">Banhammer Pro\u003C\u002Fa> – Monitor traffic and ban the bad guys\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugin-planet.com\u002Fga-google-analytics-pro\u002F\" rel=\"nofollow ugc\">GA Google Analytics Pro\u003C\u002Fa> – Connect WordPress to Google Analytics\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugin-planet.com\u002Fhead-meta-pro\u002F\" rel=\"nofollow ugc\">Head Meta Pro\u003C\u002Fa> – Ultimate Meta Tags for WordPress\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugin-planet.com\u002Fsimple-ajax-chat-pro\u002F\" rel=\"nofollow ugc\">Simple Ajax Chat Pro\u003C\u002Fa> – Unlimited chat rooms\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugin-planet.com\u002Fusp-pro\u002F\" rel=\"nofollow ugc\">USP Pro\u003C\u002Fa> – Unlimited front-end forms\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Links, tweets and likes also appreciated. Thank you! 🙂\u003C\u002Fp>\n","Disables the WP REST API for visitors not logged into WordPress.",30000,365611,36,"2026-01-29T17:42:00.000Z","4.7","5.6.20",[19,133,20,21,22],"disable","https:\u002F\u002Fperishablepress.com\u002Fdisable-wp-rest-api\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-wp-rest-api.2.6.7.zip",{"attackSurface":137,"codeSignals":149,"taintFlows":156,"riskAssessment":157,"analyzedAt":164},{"hooks":138,"ajaxHandlers":145,"restRoutes":146,"shortcodes":147,"cronEvents":148,"entryPointCount":13,"unprotectedCount":13},[139],{"type":140,"name":141,"callback":142,"priority":32,"file":143,"line":144},"filter","rest_pre_dispatch","require_auth_for_all_endpoints","plugin.php",18,[],[],[],[],{"dangerousFunctions":150,"sqlUsage":151,"outputEscaping":153,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":155},[],{"prepared":13,"raw":13,"locations":152},[],{"escaped":13,"rawEcho":13,"locations":154},[],[],[],{"summary":158,"deductions":159},"The \"disable-rest-api-and-require-jwt-oauth-authentication\" plugin v1.0 demonstrates a strong security posture based on the provided static analysis.  The absence of any identified AJAX handlers, REST API routes, shortcodes, or cron events significantly limits the plugin's attack surface.  Furthermore, the code analysis reveals no dangerous functions, file operations, or external HTTP requests, and all SQL queries are properly prepared.  The lack of any identified taint flows or outputting unescaped data further reinforces the impression of secure coding practices.\n\nThe plugin's vulnerability history is also clean, with no known CVEs. This indicates a mature and well-maintained codebase, or at least one that has not yet been targeted or discovered to have exploitable flaws.  The strength of this plugin lies in its minimal attack surface and adherence to fundamental security principles like prepared statements and output escaping, coupled with a clean vulnerability record.\n\nWhile the static analysis results are overwhelmingly positive, the most significant concern is the complete absence of nonce checks and capability checks.  For a plugin focused on authentication and security, these are fundamental security mechanisms that should ideally be present to protect against various attack vectors.  However, given the extremely limited attack surface reported (zero entry points), the immediate risk associated with these missing checks is currently mitigated.  The overall security is good, but the omission of standard security checks warrants attention for future development.",[160,162],{"reason":161,"points":32},"Missing nonce checks",{"reason":163,"points":32},"Missing capability checks","2026-03-16T21:46:53.028Z",{"wat":166,"direct":171},{"assetPaths":167,"generatorPatterns":168,"scriptPaths":169,"versionParams":170},[],[],[],[],{"cssClasses":172,"htmlComments":173,"htmlAttributes":174,"restEndpoints":175,"jsGlobals":181,"shortcodeOutput":182},[],[],[],[176,177,178,179,180],"\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate","\u002Fjwt-auth\u002Fv1\u002Ftoken","\u002Foauth\u002Fauthorize","\u002Foauth\u002Ftoken","\u002Foauth\u002Fme",[],[]]