[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsEEk2daw_8Cmy8t4TKUA_mGyEVteipoiNGldDJYfQYc":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":36,"analysis":140,"fingerprints":230},"gs-jwt-auth-and-otp-varification","GS JWT Authentication for WP REST API","1.0.0","Gaurav Sharma","https:\u002F\u002Fprofiles.wordpress.org\u002Fgauravin213\u002F","\u003Cp>Extends the WP REST API using JSON Web Tokens as an authentication method.\u003Cbr \u002F>\nGS JWT plugin provides to encode and decode JSON Web Tokens (JWT), conforming to RFC 7519.\u003C\u002Fp>\n\u003Cp>GET OTP and send notification by mail or SMS service\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Support and Requests please in Github:\u003C\u002Fstrong> https:\u002F\u002Fgithub.com\u002Fgauravin213\u002Fgs-jwt\u003C\u002Fp>\n\u003Ch3>REQUIREMENTS\u003C\u002Fh3>\n\u003Ch3>PHP\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Minimum PHP version: 5.3.0\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>PHP HTTP Authorization Header enable\u003C\u002Fh3>\n\u003Cp>Most of the shared hosting has disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file adding the following\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPENGINE\u003C\u002Fh4>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file adding the following\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>CONFIGURATION\u003C\u002Fh4>\n\u003Cp>The JWT needs to Add constant in the wp-confige.php file\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'GS_WP_JWT_SECRET_KEY', 'your-top-secret-key' );\ndefine( 'GS_WP_JWT_ALGO', 'HS256' );\ndefine( 'GS_WP_JWT_EXPIRY', (60 * 60) ); \u002F\u002Fseconds * minuts\ndefine( 'GS_WP_OTP_EXPIRY', 10);  \u002F\u002Fminuts\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fgs-jwt\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace\u003C\u002Fp>\n\u003Cp>Endpoint | HTTP Verb\u003C\u002Fp>\n\u003Cp>\u003Cem>\u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Flogin\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cem>\u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cem>\u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Fget-otp\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cem>\u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Fverify-otp\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cem>\u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Fregister_user\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cem>\u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Fregister_userbymobile\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Ch3>USAGE\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Get JSON web token\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Request method:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>POST \u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Flogin\n\nBody{\n    \"username\": \"enter username\",\n    \"password\": \"enter password\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Reponse\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"data\": {\n        \"id\": \"1\",\n        \"user_login\": \"admin\",\n        \"user_pass\": null,\n        \"user_nicename\": \"admin\",\n        \"user_email\": \"example@gmail.com\",\n        \"user_url\": \"\",\n        \"user_registered\": \"2020-08-11 07:35:37\",\n        \"user_activation_key\": \"\",\n        \"user_status\": \"0\",\n        \"display_name\": \"admin\",\n        \"roles\": [\n            \"administrator\"\n        ],\n        \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC8xMjcuMC4wLjFcL3dvcmRwcmVzcyIsImlhdCI6MTY0MTk3MDIwNSwibmJmIjoxNjQxOTcwMjA1LCJleHAiOjE2NDE5NzM4MDUsImRhdGEiOnsidXNlciI6eyJpZCI6IjEifX19.gRF_aNsmhQ8kqXYdKbm6dIA7zTlhcCU-e_cpP9pQDyM\"\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Col>\n\u003Cli>Validate JSON web token\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Request method:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>POST \u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Ftoken\u002Fvalidate\n\nMake a POST request sending the Authorization header\nAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC8xMjcuMC4wLjFcL3dvcmRwcmVzcyIsImlhdCI6MTY0MTk3MDIwNSwibmJmIjoxNjQxOTcwMjA1LCJleHAiOjE2NDE5NzM4MDUsImRhdGEiOnsidXNlciI6eyJpZCI6IjEifX19.gRF_aNsmhQ8kqXYdKbm6dIA7zTlhcCU-e_cpP9pQDyM\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Reponse\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"jwt_auth_valid_token\",\n    \"data\": {\n        \"status\": 200\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Col>\n\u003Cli>Get otp by billing mobile number\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Request method:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>POST \u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Fget-otp\n\nBody{\n    \"mobile\": \"enter mobile number\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Reponse\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"data\": {\n        \"otp\": 249225,\n        \"message\": \"SUCCESS\",\n        \"otp_use_staus\": \"0\",\n        \"notification\": {\n            \"mail_send_status\": 0,\n            \"sms_send_status\": 0\n        }\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Col>\n\u003Cli>Verify otp and mobile number to login \u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Request method:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>POST \u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Fverify-otp\n\nBody{\n    \"otp\": \"enter otp\",\n    \"mobile\": \"enter mobile number\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Reponse\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"data\": {\n        \"id\": \"1\",\n        \"user_login\": \"admin\",\n        \"user_pass\": null,\n        \"user_nicename\": \"admin\",\n        \"user_email\": \"example@gmail.com\",\n        \"user_url\": \"\",\n        \"user_registered\": \"2020-08-11 07:35:37\",\n        \"user_activation_key\": \"\",\n        \"user_status\": \"0\",\n        \"display_name\": \"admin\",\n        \"roles\": [\n            \"administrator\"\n        ],\n        \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC8xMjcuMC4wLjFcL3dvcmRwcmVzcyIsImlhdCI6MTY0MTk3MDIwNSwibmJmIjoxNjQxOTcwMjA1LCJleHAiOjE2NDE5NzM4MDUsImRhdGEiOnsidXNlciI6eyJpZCI6IjEifX19.gRF_aNsmhQ8kqXYdKbm6dIA7zTlhcCU-e_cpP9pQDyM\"\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Col>\n\u003Cli>Register user\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Request method:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>POST \u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Fregister_user\n\nBody{\n    \"username\": \"example\",\n    \"password\": \"example@123\",\n    \"email\": \"example@gmail.com\",\n    \"mobile\": \"1122336699\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Reponse\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"data\": {\n        \"id\": 29,\n        \"user_login\": \"example\",\n        \"user_pass\": null,\n        \"user_nicename\": \"example\",\n        \"user_email\": \"example@gmail.com\",\n        \"user_url\": \"\",\n        \"user_registered\": \"2022-01-12 07:45:29\",\n        \"user_activation_key\": \"\",\n        \"user_status\": \"0\",\n        \"display_name\": \"example\",\n        \"roles\": [\n            \"customer\"\n        ],\n        \"billing_phone\": \"1122336699\"\n    },\n    \"code\": 200,\n    \"message\": \"Registration was Successful\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Col>\n\u003Cli>Register user by mobile number\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Request method:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>POST \u002Fwp-json\u002Fgs-jwt\u002Fv1\u002Fregister_userbymobile\n\nBody{\n    \"mobile\": \"1122336699\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Reponse\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"data\": {\n        \"id\": 32,\n        \"user_login\": \"1144556638\",\n        \"user_nicename\": \"1144556638\",\n        \"user_registered\": \"2022-01-13 06:29:30\",\n        \"display_name\": \"1144556638\",\n        \"roles\": [\n            \"customer\"\n        ],\n        \"billing_phone\": \"1144556638\"\n    },\n    \"code\": 200,\n    \"message\": \"Registration was Successful\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample add SMS and email notification\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>\u002F*\n* Send notification \n* Default mail_send_status = 0, sms_send_status = 0\n*\u002F\nfunction gs_wp_jwt_send_notification_fun( $data, $user_id, $otp, $mobile ) {\n\n  \u002F\u002FWrite mail send code here\n  $from = get_option('admin_email');\n  $to = get_user_meta($user_id, 'billing_email', true);\n  $subject = \"OTP Verification\";\n  $message = \"OTP number: {$opt} will expire in 10 min\";\n  $headers = \"From: \".$from;\n  $result = wp_mail( $to, $subject, $message, $headers);\n\n  if ($result) { \n\n    $data['mail_send_status'] = 1;\n\n  } \u002F\u002Fend mail send\n\n\n  \u002F\u002FWrite sms send api code here\n  \u002F*if ($sms_send_status) { \n\n    $data['sms_send_status'] = 1;\n\n  } \u002F\u002Fens sms send*\u002F\n\n  return $data;\n}\nadd_filter( 'gs_wp_jwt_send_notification', 'gs_wp_jwt_send_notification_fun', 10, 4 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Extends the WP REST API using JSON Web Tokens as an authentication method.",10,1032,0,"2022-01-13T07:09:00.000Z","5.8.13","4.2","5.3.0",[19,20,21,22,23],"json-web-authentication","jwt","otp","wp-api","wp-json","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgs-jwt-auth-and-otp-varification.1.0.0.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"gauravin213",2,30,84,"2026-04-04T02:47:45.899Z",[37,54,74,97,118],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":47,"num_ratings":48,"last_updated":49,"tested_up_to":50,"requires_at_least":24,"requires_php":24,"tags":51,"homepage":52,"download_link":53,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"custom-fields-for-jwt-authentication-for-wp-rest-api","User Data Fields For JWT Authentication","1.2.1","Ahmed Hnewa","https:\u002F\u002Fprofiles.wordpress.org\u002Fahmedriyadh\u002F","\u003Cp>WordPress is a good content mangement system for building websites, but it will be better if you build like mobile apps,\u003Cbr \u002F>\nWith the wordpress rest api you can create posts, edit posts, view posts, Users, Uploading Media etc…\u003Cbr \u002F>\nbut the problem with the wordpress rest api it does not provide any authentication methods for third party application like mobile apps\u003Cbr \u002F>\nThe Jwt Plugin on wordpress.org does provide that\u003C\u002Fp>\n\u003Cp>and this plugin is just a addon for that plugin\u003C\u002Fp>\n\u003Cp>So this plugin is useful if you don’t want to make another request to fetch user data like Id etc..\u003Cbr \u002F>\nbecause you have to get the id of the user in ordet to get all data\u003C\u002Fp>\n\u003Cp>It really simple plugin\u003Cbr \u002F>\nit writed with 50 lines of code, the size of the plugin is 3Kb\u003C\u002Fp>\n\u003Cp>Note: This Is Plugin For\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjwt-authentication-for-wp-rest-api\u002F\" rel=\"ugc\">JWT Authentication for WP REST API Plugin\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>so if the jwt authentication plugin is not installed\u003Cbr \u002F>\nthis plugin will not add the fields to it endpoints\u003C\u002Fp>\n\u003Cp>and the fields will be added only if the token is getted successfully\u003C\u002Fp>\n\u003Cp>Example request (before install the plugin):\u003Cbr \u002F>\n{\u003Cbr \u002F>\n    “token”: “eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC8xOTIuMTY4LjAuMTgyIiwiaWF0IjoxNjE0MDg3NDQ2LCJuYmYiOjE2MTQwODc0NDYsImV4cCI6MTYxNDY5MjI0NiwiZGF0YSI6eyJ1c2VyIjp7ImlkIjoiMSJ9fX0.KeAUc7PiTne0_PThsSAWo1ruvl2Ocu-fbCn2jG7zkoE”,\u003Cbr \u002F>\n    “user_email”: “example@example.com”,\u003Cbr \u002F>\n    “user_nicename”: “admin”,\u003Cbr \u002F>\n    “user_display_name”: “admin”\u003Cbr \u002F>\n}\u003C\u002Fp>\n\u003Cp>Example response (after install the plugin):\u003Cbr \u002F>\n{\u003Cbr \u002F>\n    “token”: “eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC8xOTIuMTY4LjAuMTgyIiwiaWF0IjoxNjE0MDg2NjQyLCJuYmYiOjE2MTQwODY2NDIsImV4cCI6MTYxNDY5MTQ0MiwiZGF0YSI6eyJ1c2VyIjp7ImlkIjoiMSJ9fX0.nyDOICdQcZKbWZo2kQRp_eLBkuxjnK_rpxs-HJREyCg”,\u003Cbr \u002F>\n    “user_email”: “example@example.com”,\u003Cbr \u002F>\n    “user_nicename”: “admin”,\u003Cbr \u002F>\n    “user_display_name”: “admin”,\u003Cbr \u002F>\n    “user_id”: 1,\u003Cbr \u002F>\n    “user_login”: “admin”,\u003Cbr \u002F>\n    “user_first_name”: “sfd”,\u003Cbr \u002F>\n    “user_last_name”: “”,\u003Cbr \u002F>\n    “user_roles”: [\u003Cbr \u002F>\n        “administrator”\u003Cbr \u002F>\n    ],\u003Cbr \u002F>\n    “user_role”: “administrator”,\u003Cbr \u002F>\n    “user_registered”: “2021-02-17 09:21:29”,\u003Cbr \u002F>\n    “user_url”: “http:\u002F\u002Flocalhost”,\u003Cbr \u002F>\n    “user_status”: “0”,\u003Cbr \u002F>\n    “user_avatar_url”: “https:\u002F\u002Fsecure.gravatar.com\u002Favatar\u002F22feea4605ac5b7163eac439b5241034?s=96&d=mm&r=g”,\u003Cbr \u002F>\n    “user_activation_key”: “”\u003Cbr \u002F>\n}\u003C\u002Fp>\n\u003Cp>Of course you can add the code of this plugin to your Theme,\u003Cbr \u002F>\nbut this is not recommened because when you change the theme or update it\u003Cbr \u002F>\nthe changes will revert back, you can create child theme for that\u003Cbr \u002F>\nbut instead you can just install this simple plugin\u003C\u002Fp>\n\u003Cp>Don’t forget to setup (JwtAuthenticatonForWordpress)[https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjwt-authentication-for-wp-rest-api\u002F]\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fahmedhnewa\u002Fuser-data-fields-jwt-plugin\" rel=\"nofollow ugc\">Github\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Can Add User Data Fields To Validate Token Endpoint ?\u003C\u002Fh3>\n\u003Cp>This plugin can also add user data fields to validate token endpoint,\u003C\u002Fp>\n\u003Cp>Unfortunately, the jwt extension does not support using the filter for validate_token function,\u003Cbr \u002F>\nSo You Will Need To Modify Some Codes Inside Jwt Plugin Codes\u003Cbr \u002F>\nGo To \\wp-content\\plugins\\jwt-authentication-for-wp-rest-api\\public\\class-jwt-auth-public.php\u003Cbr \u002F>\nAnd At The End Of Function That Named validate_token\u003Cbr \u002F>\nIn Line 302\u003C\u002Fp>\n\u003Cp>Edit This Code\u003Cbr \u002F>\nFrom :\u003Cbr \u002F>\n\u002F** If the output is true return an answer to the request to show it *\u002F\u003Cbr \u002F>\n            return array(\u003Cbr \u002F>\n                ‘code’ => ‘jwt_auth_valid_token’,\u003Cbr \u002F>\n                ‘data’ => array(\u003Cbr \u002F>\n                    ‘status’ => 200,\u003Cbr \u002F>\n                ),\u003Cbr \u002F>\n            );\u003Cbr \u002F>\nTo :\u003Cbr \u002F>\n$value = array(\u003Cbr \u002F>\n            ‘code’ => ‘jwt_auth_valid_token’,\u003Cbr \u002F>\n                ‘data’ => array(\u003Cbr \u002F>\n                    ‘status’ => 200,\u003Cbr \u002F>\n                )\u003Cbr \u002F>\n            );\u003Cbr \u002F>\n            \u002F** If the output is true return an answer to the request to show it *\u002F\u003Cbr \u002F>\n            return apply_filters(‘jwt_auth_validate_token’, $value, $token);\u003C\u002Fp>\n\u003Cp>Now you have done,\u003Cbr \u002F>\nthe plugin should be able to add new values by adding a filter\u003C\u002Fp>\n\u003Cp>Note :\u003Cbr \u002F>\nIf you updated the jwt plugin,\u003Cbr \u002F>\nyou should again edit the code because it will be removed\u003C\u002Fp>\n\u003Ch3>REQUIREMENTS\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjwt-authentication-for-wp-rest-api\u002F\" rel=\"ugc\">JWT Authentication for WP REST API Plugin\u003C\u002Fa>\u003C\u002Fp>\n","Wordpress is a good content mangement system for building websites, but it will be better if you build like mobile apps,",40,2337,100,3,"2022-08-01T18:33:00.000Z","6.0.11",[19,20,22,23],"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcustom-fields-for-jwt-authentication-for-wp-rest-api\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-fields-for-jwt-authentication-for-wp-rest-api.1.2.1.zip",{"slug":55,"name":56,"version":57,"author":58,"author_profile":59,"description":60,"short_description":61,"active_installs":62,"downloaded":63,"rating":64,"num_ratings":65,"last_updated":66,"tested_up_to":67,"requires_at_least":16,"requires_php":68,"tags":69,"homepage":72,"download_link":73,"security_score":47,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"jwt-authentication-for-wp-rest-api","JWT Authentication for WP REST API","1.5.0","tmeister","https:\u002F\u002Fprofiles.wordpress.org\u002Ftmeister\u002F","\u003Cp>This plugin seamlessly extends the WP REST API, enabling robust and secure authentication using JSON Web Tokens (JWT). It provides a straightforward way to authenticate users via the REST API, returning a standard JWT upon successful login.\u003C\u002Fp>\n\u003Ch3>Key features of this free version include:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication:\u003C\u002Fstrong> Implements the industry-standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa> for secure claims representation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple Endpoints:\u003C\u002Fstrong> Offers clear \u003Ccode>\u002Ftoken\u003C\u002Fcode> and \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode> endpoints for generating and validating tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Secret Key:\u003C\u002Fstrong> Define your unique secret key via \u003Ccode>wp-config.php\u003C\u002Fcode> for secure token signing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optional CORS Support:\u003C\u002Fstrong> Easily enable Cross-Origin Resource Sharing support via a \u003Ccode>wp-config.php\u003C\u002Fcode> constant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Hooks:\u003C\u002Fstrong> Provides filters (\u003Ccode>jwt_auth_expire\u003C\u002Fcode>, \u003Ccode>jwt_auth_token_before_sign\u003C\u002Fcode>, etc.) for customizing token behavior.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.\u003C\u002Fp>\n\u003Cp>For users requiring more advanced capabilities such as multiple signing algorithms (RS256, ES256), token refresh\u002Frevocation, UI-based configuration, or priority support, consider checking out \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_link_soft\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Support and Requests:\u003C\u002Fstrong> Please use \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub Issues\u003C\u002Fa>. For priority support, consider upgrading to \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_support_link\" rel=\"nofollow ugc\">PRO\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>REQUIREMENTS\u003C\u002Fh3>\n\u003Ch4>WP REST API V2\u003C\u002Fh4>\n\u003Cp>This plugin was conceived to extend the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API V2\u003C\u002Fa> plugin features and, of course, was built on top of it.\u003C\u002Fp>\n\u003Cp>So, to use the \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> you need to install and activate \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>PHP\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Minimum PHP version: 7.4.0\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>PHP HTTP Authorization Header Enable\u003C\u002Fh3>\n\u003Cp>Most shared hosting providers have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPENGINE\u003C\u002Fh4>\n\u003Cp>For WPEngine hosting, you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>See https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1 for more details.\u003C\u002Fp>\n\u003Ch3>CONFIGURATION\u003C\u002Fh3>\n\u003Ch3>Configure the Secret Key\u003C\u002Fh3>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a secure key from: https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Looking for easier configuration?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=config_secret_key_link\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to manage all settings through a simple admin UI.\u003C\u002Fp>\n\u003Ch3>Configure CORS Support\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORS\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable CORS Support, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Finally, activate the plugin within your wp-admin.\u003C\u002Fp>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace:\u003C\u002Fp>\n\u003Cp>Endpoint | HTTP Verb\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fem> | POST\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need more functionality?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=endpoints_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> includes additional endpoints for token refresh and revocation.\u003C\u002Fp>\n\u003Ch3>USAGE\u003C\u002Fh3>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fh4>\n\u003Cp>This is the entry point for JWT Authentication.\u003C\u002Fp>\n\u003Cp>It validates the user credentials, \u003Cem>username\u003C\u002Fem> and \u003Cem>password\u003C\u002Fem>, and returns a token to use in future requests to the API if the authentication is correct, or an error if authentication fails.\u003C\u002Fp>\n\u003Cp>Sample Request Using AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>(function() {\n  var app = angular.module('jwtAuth', []);\n\n  app.controller('MainController', function($scope, $http) {\n    var apiHost = 'http:\u002F\u002Fyourdomain.com\u002Fwp-json';\n\n    $http.post(apiHost + '\u002Fjwt-auth\u002Fv1\u002Ftoken', {\n      username: 'admin',\n      password: 'password'\n    })\n    .then(function(response) {\n      console.log(response.data)\n    })\n    .catch(function(error) {\n      console.error('Error', error.data[0]);\n    });\n  });\n})();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Success Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9qd3QuZGV2IiwiaWF0IjoxNDM4NTcxMDUwLCJuYmYiOjE0Mzg1NzEwNTAsImV4cCI6MTQzOTE3NTg1MCwiZGF0YSI6eyJ1c2VyIjp7ImlkIjoiMSJ9fX0.YNe6AyWW4B7ZwfFE5wJ0O6qQ8QFcYizimDmBy6hCH_8\",\n  \"user_display_name\": \"admin\",\n  \"user_email\": \"admin@localhost.dev\",\n  \"user_nicename\": \"admin\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Error Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_failed\",\n  \"data\": {\n    \"status\": 403\n  },\n  \"message\": \"Invalid Credentials.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application, e.g., in a \u003Cstrong>cookie\u003C\u002Fstrong> or using \u003Cstrong>localStorage\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>From this point, you should pass this token with every API call.\u003C\u002Fp>\n\u003Cp>Sample Call Using The Authorization Header With AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>app.config(function($httpProvider) {\n  $httpProvider.interceptors.push(['$q', '$location', '$cookies', function($q, $location, $cookies) {\n    return {\n      'request': function(config) {\n        config.headers = config.headers || {};\n        \u002F\u002F Assume that you store the token in a cookie\n        var globals = $cookies.getObject('globals') || {};\n        \u002F\u002F If the cookie has the CurrentUser and the token\n        \u002F\u002F add the Authorization header in each request\n        if (globals.currentUser && globals.currentUser.token) {\n          config.headers.Authorization = 'Bearer ' + globals.currentUser.token;\n        }\n        return config;\n      }\n    };\n  }]);\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin will intercept every call to the server and will look for the Authorization Header. If the Authorization header is present, it will try to decode the token and will set the user according to the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as normal.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Sample Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fresource HTTP\u002F1.1\nHost: server.example.com\nAuthorization: Bearer mF_s9.B5f-4.1JqM\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>ERRORS\u003C\u002Fh3>\n\u003Cp>If the token is invalid, an error will be returned. Here are some sample errors:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Invalid Credentials\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_failed\",\n    \"message\": \"Invalid Credentials.\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Invalid Signature\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Signature verification failed\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Expired Token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Expired token\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Need advanced error tracking?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=errors_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> offers enhanced error tracking and monitoring capabilities.\u003C\u002Fp>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fh4>\n\u003Cp>This is a simple helper endpoint to validate a token. You only need to make a POST request with the Authorization header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Valid Token Response\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_valid_token\",\n  \"data\": {\n    \"status\": 200\n  }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>AVAILABLE HOOKS\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin is developer-friendly and provides five filters to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_cors_allow_headers\u003C\u002Fstrong> filter allows you to modify the available headers when CORS support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_not_before\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Creation time - time()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_expire\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_token_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_sign\u003C\u002Fstrong> filter allows you to modify all token data before it is encoded and signed.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = array(\n    'iss' => get_bloginfo('url'),\n    'iat' => $issuedAt,\n    'nbf' => $notBefore,\n    'exp' => $expire,\n    'data' => array(\n        'user' => array(\n            'id' => $user->data->ID,\n        )\n    )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Want easier customization?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=hook_payload_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to add custom claims directly through the admin UI.\u003C\u002Fp>\n\u003Ch4>jwt_auth_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_dispatch\u003C\u002Fstrong> filter allows you to modify the response array before it is sent to the client.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = array(\n    'token' => $token,\n    'user_email' => $user->data->user_email,\n    'user_nicename' => $user->data->user_nicename,\n    'user_display_name' => $user->data->display_name,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_algorithm\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_algorithm\u003C\u002Fstrong> filter allows you to modify the signing algorithm.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = JWT::encode(\n    apply_filters('jwt_auth_token_before_sign', $token, $user),\n    $secret_key,\n    apply_filters('jwt_auth_algorithm', 'HS256')\n);\n\n\u002F\u002F ...\n\n$token = JWT::decode(\n    $token,\n    new Key($secret_key, apply_filters('jwt_auth_algorithm', 'HS256'))\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>JWT Authentication PRO\u003C\u002Fh3>\n\u003Cp>Elevate your WordPress security and integration capabilities with \u003Cstrong>JWT Authentication PRO\u003C\u002Fstrong>. Building upon the solid foundation of the free version, the PRO version offers advanced features, enhanced security options, and a streamlined user experience:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Configuration UI:\u003C\u002Fstrong> Manage all settings directly from the WordPress admin area.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Endpoint:\u003C\u002Fstrong> Allow users to refresh expired tokens seamlessly without requiring re-login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation Endpoint:\u003C\u002Fstrong> Immediately invalidate specific tokens for enhanced security control.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Token Payload:\u003C\u002Fstrong> Add custom claims to your JWT payload to suit your specific application needs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular CORS Control:\u003C\u002Fstrong> Define allowed origins and headers with more precision directly in the settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Protect your endpoints from abuse with configurable rate limits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Audit Logs:\u003C\u002Fstrong> Keep track of token generation, validation, and errors.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Priority Support:\u003C\u002Fstrong> Get faster, dedicated support directly from the developer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=pro_section_cta\" rel=\"nofollow ugc\">Upgrade to JWT Authentication PRO Today!\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Free vs. PRO Comparison\u003C\u002Fh3>\n\u003Cp>Here’s a quick look at the key differences:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Basic JWT Authentication:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Generation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Validation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Mechanism:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Management Dashboard:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Analytics & Monitoring:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geo-IP Identification:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Documentation:\u003C\u002Fstrong> Basic (Free), Comprehensive (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Tools:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support:\u003C\u002Fstrong> Community via GitHub (Free), Priority Direct Support (PRO)\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.",60000,893830,88,53,"2026-02-18T00:58:00.000Z","6.9.4","7.4.0",[19,20,70,71,22],"oauth","rest-api","https:\u002F\u002Fenriquechavez.co","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authentication-for-wp-rest-api.1.5.0.zip",{"slug":75,"name":76,"version":77,"author":78,"author_profile":79,"description":80,"short_description":81,"active_installs":82,"downloaded":83,"rating":84,"num_ratings":85,"last_updated":86,"tested_up_to":67,"requires_at_least":87,"requires_php":88,"tags":89,"homepage":95,"download_link":96,"security_score":47,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"two-factor","Two Factor","0.15.0","WordPress.org","https:\u002F\u002Fprofiles.wordpress.org\u002Fwordpressdotorg\u002F","\u003Cp>The Two-Factor plugin adds an extra layer of security to your WordPress login by requiring users to provide a second form of authentication in addition to their password.  This helps protect against unauthorized access even if passwords are compromised.\u003C\u002Fp>\n\u003Ch3>Setup Instructions\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Important\u003C\u002Fstrong>: Each user must individually configure their two-factor authentication settings.  There are no site-wide settings for this plugin.\u003C\u002Fp>\n\u003Ch3>For Individual Users\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\u003Cstrong>Navigate to your profile\u003C\u002Fstrong>: Go to “Users” \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> “Your Profile” in the WordPress admin\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Find Two-Factor Options\u003C\u002Fstrong>: Scroll down to the “Two-Factor Options” section\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Choose your methods\u003C\u002Fstrong>: Enable one or more authentication providers (noting a site admin may have hidden one or more so what is available could vary):\n\u003Cul>\n\u003Cli>\u003Cstrong>Authenticator App (TOTP)\u003C\u002Fstrong> – Use apps like Google Authenticator, Authy, or 1Password\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Codes\u003C\u002Fstrong> – Receive one-time codes via email\u003C\u002Fli>\n\u003Cli>\u003Cstrong>FIDO U2F Security Keys\u003C\u002Fstrong> – Use physical security keys (requires HTTPS)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Backup Codes\u003C\u002Fstrong> – Generate one-time backup codes for emergencies\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dummy Method\u003C\u002Fstrong> – For testing purposes only (requires WP_DEBUG)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configure each method\u003C\u002Fstrong>: Follow the setup instructions for each enabled provider\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Set primary method\u003C\u002Fstrong>: Choose which method to use as your default authentication\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Save changes\u003C\u002Fstrong>: Click “Update Profile” to save your settings\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>For Site Administrators\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>No global settings\u003C\u002Fstrong>: This plugin operates on a per-user basis only. For more, see \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWordPress\u002Ftwo-factor\u002Fissues\u002F249\" rel=\"nofollow ugc\">GH#249\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User management\u003C\u002Fstrong>: Administrators can configure 2FA for other users by editing their profiles\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security recommendations\u003C\u002Fstrong>: Encourage users to enable backup methods to prevent account lockouts\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Available Authentication Methods\u003C\u002Fh3>\n\u003Ch3>Authenticator App (TOTP) – Recommended\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: High – Time-based one-time passwords\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Scan QR code with authenticator app\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works with Google Authenticator, Authy, 1Password, and other TOTP apps\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Most users, provides excellent security with good usability\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Backup Codes – Recommended\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: Medium – One-time use codes\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Generate 10 backup codes for emergency access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works everywhere, no special hardware needed\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Emergency access when other methods are unavailable\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Email Codes\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: Medium – One-time codes sent via email\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Automatic – uses your WordPress email address\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works with any email-capable device\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Users who prefer email-based authentication\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>FIDO U2F Security Keys\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: High – Hardware-based authentication\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Register physical security keys (USB, NFC, or Bluetooth)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Requirements\u003C\u002Fstrong>: HTTPS connection required, compatible browser needed\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Browser Support\u003C\u002Fstrong>: Chrome, Firefox, Edge (varies by key type)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Users with security keys who want maximum security\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Dummy Method\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: None – Always succeeds\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Only available when WP_DEBUG is enabled\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Purpose\u003C\u002Fstrong>: Testing and development only\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Developers testing the plugin\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Important Notes\u003C\u002Fh3>\n\u003Ch3>HTTPS Requirement\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>FIDO U2F Security Keys require an HTTPS connection to function\u003C\u002Fli>\n\u003Cli>Other methods work on both HTTP and HTTPS sites\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Browser Compatibility\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>FIDO U2F requires a compatible browser and may not work on all devices\u003C\u002Fli>\n\u003Cli>TOTP and email methods work on all devices and browsers\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Account Recovery\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Always enable backup codes to prevent being locked out of your account\u003C\u002Fli>\n\u003Cli>If you lose access to all authentication methods, contact your site administrator\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security Best Practices\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Use multiple authentication methods when possible\u003C\u002Fli>\n\u003Cli>Keep backup codes in a secure location\u003C\u002Fli>\n\u003Cli>Regularly review and update your authentication settings\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For more information about two-factor authentication in WordPress, see the \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fadvanced-administration\u002Fsecurity\u002Fmfa\u002F\" rel=\"nofollow ugc\">WordPress Advanced Administration Security Guide\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>For more history, see \u003Ca href=\"https:\u002F\u002Fgeorgestephanis.wordpress.com\u002F2013\u002F08\u002F14\u002Ftwo-cents-on-two-factor\u002F\" rel=\"nofollow ugc\">this post\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Actions & Filters\u003C\u002Fh4>\n\u003Cp>Here is a list of action and filter hooks provided by the plugin:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>two_factor_providers\u003C\u002Fcode> filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_providers_for_user\u003C\u002Fcode> filter overrides the available two-factor providers for a specific user. Array values are instances of provider classes and the user object \u003Ccode>WP_User\u003C\u002Fcode> is available as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_enabled_providers_for_user\u003C\u002Fcode> filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_user_authenticated\u003C\u002Fcode> action which receives the logged in \u003Ccode>WP_User\u003C\u002Fcode> object as the first argument for determining the logged in user right after the authentication workflow.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_user_api_login_enable\u003C\u002Fcode> filter restricts authentication for REST API and XML-RPC to application passwords only. Provides the user ID as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_email_token_ttl\u003C\u002Fcode> filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the \u003Ccode>WP_User\u003C\u002Fcode> object being authenticated.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_email_token_length\u003C\u002Fcode> filter overrides the default 8 character count for email tokens.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_backup_code_length\u003C\u002Fcode> filter overrides the default 8 character count for backup codes. Provides the \u003Ccode>WP_User\u003C\u002Fcode> of the associated user as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_rest_api_can_edit_user\u003C\u002Fcode> filter overrides whether a user’s Two-Factor settings can be edited via the REST API. First argument is the current \u003Ccode>$can_edit\u003C\u002Fcode> boolean, the second argument is the user ID.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_before_authentication_prompt\u003C\u002Fcode> action which receives the provider object and fires prior to the prompt shown on the authentication input form.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_after_authentication_prompt\u003C\u002Fcode> action which receives the provider object and fires after the prompt shown on the authentication input form.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_after_authentication_input\u003C\u002Fcode>action which receives the provider object and fires after the input shown on the authentication input form (if form contains no input, action fires immediately after \u003Ccode>two_factor_after_authentication_prompt\u003C\u002Fcode>).\u003C\u002Fli>\n\u003C\u002Ful>\n","Enable Two-Factor Authentication (2FA) using time-based one-time passwords (TOTP), Universal 2nd Factor (U2F), email, and backup verification codes.",100000,1526344,96,199,"2026-02-17T13:21:00.000Z","6.8","7.2",[90,91,92,93,94],"2fa","authentication","mfa","security","totp","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftwo-factor\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftwo-factor.0.15.0.zip",{"slug":98,"name":99,"version":100,"author":101,"author_profile":102,"description":103,"short_description":104,"active_installs":105,"downloaded":106,"rating":107,"num_ratings":108,"last_updated":109,"tested_up_to":50,"requires_at_least":110,"requires_php":24,"tags":111,"homepage":114,"download_link":115,"security_score":26,"vuln_count":116,"unpatched_count":13,"last_vuln_date":117,"fetched_at":28},"google-authenticator","Google Authenticator","0.54","Ivan","https:\u002F\u002Fprofiles.wordpress.org\u002Fivankk\u002F","\u003Cp>The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android\u002FiPhone\u002FBlackberry.\u003C\u002Fp>\n\u003Cp>If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail\u002FDropbox\u002FLastpass\u002FAmazon etc.\u003C\u002Fp>\n\u003Cp>The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.\u003C\u002Fp>\n\u003Cp>If You need to maintain your blog using an Android\u002FiPhone app, or any other software using the XMLRPC interface, you can enable the App password feature in this plugin,\u003Cbr \u002F>\nbut please note that enabling the App password feature will make your blog less secure.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Thanks to:\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fevinak\u002F\" rel=\"nofollow ugc\">Oleksiy\u003C\u002Fa> for a bugfix in multisite.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fpancek\" rel=\"nofollow ugc\">Paweł Nowacki\u003C\u002Fa> for the Polish translation\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FFabioZumbi12\" rel=\"nofollow ugc\">Fabio Zumbi\u003C\u002Fa> for the Portuguese translation\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.guidoschalkx.com\u002F\" rel=\"nofollow ugc\">Guido Schalkx\u003C\u002Fa> for the Dutch translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.paypal.com\u002Fcgi-bin\u002Fwebscr?cmd=_donations&business=henrik%40schack%2edk&lc=US&item_name=Google%20Authenticator&item_number=Google%20Authenticator&no_shipping=0&no_note=1&tax=0&bn=PP%2dDonationsBF&charset=UTF%2d8\" rel=\"nofollow ugc\">Henrik.Schack\u003C\u002Fa> for writing\u002Fmaintaining versions 0.20 through 0.48\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Ftobias.baethge.com\u002F\" rel=\"nofollow ugc\">Tobias Bäthge\u003C\u002Fa> for his code rewrite and German translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fblog.pcode.nl\u002F\" rel=\"nofollow ugc\">Pascal de Bruijn\u003C\u002Fa> for his “relaxed mode” idea.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Ftechnobabbl.es\u002F\" rel=\"nofollow ugc\">Daniel Werl\u003C\u002Fa> for his usability tips.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fdd32.id.au\u002F\" rel=\"nofollow ugc\">Dion Hulse\u003C\u002Fa> for his bugfixes.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fusers\u002Faldolat\u002F\" rel=\"nofollow ugc\">Aldo Latino\u003C\u002Fa> for his Italian translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.kaijia.me\u002F\" rel=\"nofollow ugc\">Kaijia Feng\u003C\u002Fa> for his Simplified Chinese translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.buayacorp.com\u002F\" rel=\"nofollow ugc\">Alex Concha\u003C\u002Fa> for his security tips.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fjetienne.com\u002F\" rel=\"nofollow ugc\">Jerome Etienne\u003C\u002Fa> for his jquery-qrcode plugin.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Forizhial.com\u002F\" rel=\"nofollow ugc\">Sébastien Prunier\u003C\u002Fa> for his Spanish and French translation.\u003C\u002Fp>\n","Google Authenticator for your WordPress blog.",20000,687508,86,134,"2022-07-04T04:55:00.000Z","4.5",[91,112,21,113,93],"login","password","https:\u002F\u002Fgithub.com\u002Fivankruchkoff\u002Fgoogle-authenticator","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-authenticator.0.54.zip",1,"2016-04-28 00:00:00",{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":105,"downloaded":126,"rating":64,"num_ratings":127,"last_updated":128,"tested_up_to":67,"requires_at_least":129,"requires_php":130,"tags":131,"homepage":136,"download_link":137,"security_score":138,"vuln_count":32,"unpatched_count":13,"last_vuln_date":139,"fetched_at":28},"wp-rest-api-authentication","JWT Authentication for WP REST APIs","4.3.0","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cp>\u003Cstrong>WordPress REST API endpoints\u003C\u002Fstrong> are \u003Cstrong>open and unsecured by default\u003C\u002Fstrong> which can be used to access your site data. Secure WordPress APIs from unauthorized users with our \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication\" rel=\"nofollow ugc\">JWT Authentication for WP REST APIs plugin\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Our plugin offers below authentication methods to \u003Cstrong>Protect WP REST API endpoints\u003C\u002Fstrong>:\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– External Token based Authentication 2.0\u002FOIDC\u002FJWT\u002F\u003Ca href=\"https:\u002F\u002Ffirebase.google.com\u002Fdocs\u002Fauth\u002Fadmin\u002Fcreate-custom-tokens\" rel=\"nofollow ugc\">Firebase\u003C\u002Fa> provider’s token authentication methods.\u003C\u002Fp>\n\u003Cp>You can authenticate default WordPress endpoints and custom-developed REST endpoints and third-party plugin REST API endpoints like that of \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwoocommerce\u002F\" rel=\"ugc\">Woocommerce\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.learndash.com\u002F\" rel=\"nofollow ugc\">Learndash\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbuddypress\u002F\" rel=\"ugc\">Buddypress\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.gravityforms.com\u002F\" rel=\"nofollow ugc\">Gravity Forms\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcart-rest-api-for-woocommerce\u002F\" rel=\"ugc\">CoCart\u003C\u002Fa>, etc.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FIsyKI7eEV-I?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&start=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch3>WP REST API Authentication Methods in our plugin\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method#step_a1\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\nProvides an endpoint where you can pass the user credentials, and it will generate a JWT (JSON Web Token), which you can use to access the WordPress REST APIs accordingly.\u003Cbr \u002F>\nAdditionally, to maintain a seamless user experience without frequent logins needed due to token expiry, you can use our \u003Cem>Refresh and Revoke token\u003C\u002Fem> mechanisms feature.\u003Cbr \u002F>\nWhen the access token expires, instead of forcing the user to log in again, the client can request a new access token using a valid refresh token.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method#step_a\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>:\u003Cbr \u002F>\n        – 1. \u003Cstrong>Username: Password\u003C\u002Fstrong>\u003Cbr \u002F>\n        – 2. \u003Cstrong>Client-ID: Client-Secret\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method#step_a\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n        – 1. \u003Cstrong>Password Grant\u003C\u002Fstrong>\u003Cbr \u002F>\n            – 2. \u003Cstrong>Client Credentials Grant\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication-using-third-party-provider#step_a\" rel=\"nofollow ugc\">Third Party Provider Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Following are some of the integrations that are possible with WP REST API Authentication:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Learndash API Authentication\u003C\u002Fli>\n\u003Cli>Custom Built REST API Endpoints Authentication\u003C\u002Fli>\n\u003Cli>BuddyPress API Authentication\u003C\u002Fli>\n\u003Cli>WooCommerce API Authentication\u003C\u002Fli>\n\u003Cli>Gravity Form API Authentication\u003C\u002Fli>\n\u003Cli>External\u002FThird-party plugin API endpoints integration in WordPress\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can also disable the WP REST APIs with our plugin such that no one can make API calls to your WordPress REST API endpoints.Our plugin also provides \u003Cstrong>Refresh and Revoke Token\u003C\u002Fstrong> that can be used to improve the API security.\u003C\u002Fp>\n\u003Ch3>Benefits of Refresh Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Enhances security by keeping access tokens short-lived.\u003C\u002Fli>\n\u003Cli>Improves user experience with uninterrupted sessions.\u003C\u002Fli>\n\u003Cli>Reduces login frequency.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Benefits of Revoke Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Protects against token misuse if a device is lost or compromised.\u003C\u002Fli>\n\u003Cli>Enables admin-triggered logouts or session control.\u003C\u002Fli>\n\u003Cli>Useful for complying with stricter session policies.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>With this plugin, the user is allowed to access your site’s resources only after successful WP REST API authentication. JWT Authentication for WP REST APIs plugin will make your \u003Cstrong>WordPress endpoints secure from unauthorized access.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Plugin Feature List\u003C\u002Fh3>\n\u003Ch3>FREE PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate only default core WordPress REST API endpoints.\u003C\u002Fli>\n\u003Cli>Basic Authentication with username and password.\u003C\u002Fli>\n\u003Cli>JWT Authentication (JSON Web Token Authentication).\u003C\u002Fli>\n\u003Cli>Enable Selective API protection.\u003C\u002Fli>\n\u003Cli>Restrict non-logged-in users to access REST API endpoints.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>PREMIUM PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate all REST API endpoints (Default WP, Custom APIs,Third-Party plugins)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>JWT Token Authentication\u003C\u002Fstrong> (JSON Web Token Authentication)\u003C\u002Fli>\n\u003Cli>Login, Refresh and Revoke token endpoints for token management\u003C\u002Fli>\n\u003Cli>API Key Authentication\u003C\u002Fli>\n\u003Cli>Basic Authentication (username\u002Fpassword and email\u002Fpassword)\u003C\u002Fli>\n\u003Cli>OAuth 2.0 Authentication\u003C\u002Fli>\n\u003Cli>Universal API key and User-specific API key for authentication\u003C\u002Fli>\n\u003Cli>Selective API protection.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003Cli>Time-based token expiry\u003C\u002Fli>\n\u003Cli>Role-based WP REST API authentication\u003C\u002Fli>\n\u003Cli>Custom Header support rather than just \u003Cem>Authorization\u003C\u002Fem> to increase security.\u003C\u002Fli>\n\u003Cli>Create users in WordPress based on third-party provider access tokens (JWT tokens) authentication.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin does not store any user data.\u003C\u002Fp>\n","Secure and protect WordPress REST API from unauthorized access using JWT token, Basic Authentication, API Key, OAuth 2, or external token.",490496,73,"2026-02-09T05:11:00.000Z","3.0.1","5.6",[132,133,134,71,135],"api-key","jwt-authentication","rest","secure-api","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-rest-api-authentication","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rest-api-authentication.4.3.0.zip",97,"2025-04-16 00:00:00",{"attackSurface":141,"codeSignals":212,"taintFlows":220,"riskAssessment":221,"analyzedAt":229},{"hooks":142,"ajaxHandlers":170,"restRoutes":171,"shortcodes":209,"cronEvents":210,"entryPointCount":211,"unprotectedCount":13},[143,149,153,157,161,165],{"type":144,"name":145,"callback":146,"file":147,"line":148},"action","init","gs_wp_jwt_endpoints_init","gs-jwt.php",19,{"type":144,"name":150,"callback":151,"file":147,"line":152},"rest_api_init","gs_wp_jwt_endpoints",21,{"type":154,"name":150,"callback":155,"file":147,"line":156},"filter","gs_wp_jwt_add_cors_support",22,{"type":154,"name":158,"callback":159,"priority":13,"file":147,"line":160},"rest_pre_serve_request","gs_wp_jwt_rest_pre_serve_request",23,{"type":154,"name":162,"callback":163,"priority":11,"file":147,"line":164},"rest_pre_dispatch","gs_wp_jwt_rest_pre_dispatch",24,{"type":154,"name":166,"callback":167,"priority":168,"file":147,"line":169},"determine_current_user","gs_wp_jwt_middleware_determine_current_user",20,698,[],[172,179,184,188,193,198,203],{"namespace":173,"route":112,"methods":174,"callback":176,"permissionCallback":177,"file":147,"line":178},"gs-jwt\u002Fv1",[175],"POST","gs_wp_jwt_endpoint_handler","closure",66,{"namespace":173,"route":180,"methods":181,"callback":182,"permissionCallback":177,"file":147,"line":183},"token\u002Fvalidate",[175],"gs_wp_jwt_validate_jwt_token",77,{"namespace":173,"route":185,"methods":186,"callback":187,"permissionCallback":177,"file":147,"line":64},"get-otp",[175],"gs_wp_jwt_otp_endpoint_handler",{"namespace":173,"route":189,"methods":190,"callback":191,"permissionCallback":177,"file":147,"line":192},"verify-otp",[175],"gs_wp_jwt_otp_verify_endpoint_handler",99,{"namespace":173,"route":194,"methods":195,"callback":196,"permissionCallback":177,"file":147,"line":197},"register_user",[175],"gs_wp_jwt_register_endpoint_handler",110,{"namespace":173,"route":199,"methods":200,"callback":201,"permissionCallback":177,"file":147,"line":202},"register_userbymobile",[175],"gs_wp_jwt_register_userbymobile_endpoint_handler",121,{"namespace":173,"route":204,"methods":205,"callback":207,"permissionCallback":177,"file":147,"line":208},"login_test",[206],"GET","gs_wp_jwt_test_endpoint_handler",132,[],[],7,{"dangerousFunctions":213,"sqlUsage":214,"outputEscaping":217,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":219},[],{"prepared":215,"raw":13,"locations":216},4,[],{"escaped":11,"rawEcho":13,"locations":218},[],[],[],{"summary":222,"deductions":223},"Based on the provided static analysis and vulnerability history, the \"gs-jwt-auth-and-otp-varification\" v1.0.0 plugin exhibits a generally good security posture. The static analysis reveals a clean code base with no dangerous functions, all SQL queries utilizing prepared statements, and all outputs being properly escaped. Importantly, there are no identified taint flows, suggesting that user-supplied data is not being mishandled in critical ways. The plugin also has no external HTTP requests or file operations, reducing potential attack vectors.\n\nHowever, a significant concern arises from the complete absence of nonce checks and capability checks. While the REST API routes do have permission callbacks, the lack of nonce checks on AJAX handlers (of which there are none in this version, but it's a common entry point) and the absence of any capability checks leaves the plugin vulnerable to various client-side attacks or unauthorized actions if any entry points were to be introduced without proper authorization mechanisms. The lack of any historical vulnerabilities is a positive sign, indicating a diligent approach to security in its development or a short history. Overall, the plugin is well-coded in terms of data handling and database interaction, but a lack of fundamental WordPress security practices like nonce and capability checks represents a notable weakness.",[224,227],{"reason":225,"points":226},"Missing nonce checks on AJAX handlers",5,{"reason":228,"points":11},"Missing capability checks","2026-03-17T01:05:57.924Z",{"wat":231,"direct":236},{"assetPaths":232,"generatorPatterns":233,"scriptPaths":234,"versionParams":235},[],[],[],[],{"cssClasses":237,"htmlComments":238,"htmlAttributes":239,"restEndpoints":240,"jsGlobals":248,"shortcodeOutput":249},[],[],[],[241,242,243,244,245,246,247],"\u002Fgs-jwt\u002Fv1\u002Flogin","\u002Fgs-jwt\u002Fv1\u002Ftoken\u002Fvalidate","\u002Fgs-jwt\u002Fv1\u002Fget-otp","\u002Fgs-jwt\u002Fv1\u002Fverify-otp","\u002Fgs-jwt\u002Fv1\u002Fregister_user","\u002Fgs-jwt\u002Fv1\u002Fregister_userbymobile","\u002Fgs-jwt\u002Fv1\u002Flogin_test",[],[]]