[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvX2JMOd_XlH6xQCCKPHU-GQMU0semT1KNhi7WHVZYiU":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":31,"crawl_stats":28,"alternatives":36,"analysis":137,"fingerprints":195},"headless-rest-api-security","Headless REST API Security","2.2","Md. Rakib Ullah","https:\u002F\u002Fprofiles.wordpress.org\u002Frakib417\u002F","\u003Cp>Running a Headless WordPress site often involves exposing the REST API. Headless REST API Security provides tools for administrators to control which endpoints are accessible to the public or external applications.\u003C\u002Fp>\n\u003Cp>This plugin restricts public access to REST API endpoints by default and offers a settings interface to allow-list only the specific routes required by a frontend application (such as Next.js, Gatsby, or mobile apps).\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Access Control:\u003C\u002Fstrong> Restrict default public access to REST API endpoints.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Route Allow-Listing:\u003C\u002Fstrong> Specific API routes (e.g., \u003Ccode>\u002Fwp\u002Fv2\u002Fposts\u003C\u002Fcode>) can be enabled while others remain restricted.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>API Key Authentication:\u003C\u002Fstrong> Supports an \u003Ccode>X-API-KEY\u003C\u002Fcode> header for server-to-server or frontend requests.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Headless Redirect:\u003C\u002Fstrong> Option to redirect users accessing the backend API URL to a specified frontend domain.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin Access:\u003C\u002Fstrong> Logged-in Administrators and Editors retain access to the API to support the Block Editor (Gutenberg) functionality.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Plugin Support:\u003C\u002Fstrong> Detects routes registered by third-party plugins for configuration.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Navigate to \u003Cstrong>Settings > Headless Security\u003C\u002Fstrong> in the WordPress dashboard.\u003C\u002Fli>\n\u003Cli>Enable the \u003Cstrong>Master Switch\u003C\u002Fstrong> to activate the access restrictions.\u003C\u002Fli>\n\u003Cli>Review the list of REST API routes and check the \u003Cstrong>Allow\u003C\u002Fstrong> box for endpoints the application requires.\u003C\u002Fli>\n\u003Cli>Copy the generated \u003Cstrong>API Key\u003C\u002Fstrong> for use in application headers.\u003C\u002Fli>\n\u003Cli>(Optional) Enter a \u003Cstrong>Headless Frontend URL\u003C\u002Fstrong> to configure redirects for visitors.\u003C\u002Fli>\n\u003C\u002Fol>\n","Manage access to the WordPress REST API by restricting public endpoints, enabling specific route allow-listing, and handling API key authentication.",20,243,100,2,"2026-02-22T18:49:00.000Z","6.9.4","5.8","7.4",[20,21,22,23,24],"access-control","authentication","headless","permissions","rest-api","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fheadless-rest-api-security\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fheadless-rest-api-security.2.3.zip",0,null,"2026-03-15T15:16:48.613Z",[],{"slug":32,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":13,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"rakib417",30,94,"2026-04-04T11:41:43.999Z",[37,57,72,93,115],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":11,"downloaded":45,"rating":27,"num_ratings":27,"last_updated":46,"tested_up_to":47,"requires_at_least":48,"requires_php":49,"tags":50,"homepage":54,"download_link":55,"security_score":56,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"rest-api-key-authentication","WP REST API Key Authentication","1.0","Kamal Hosen","https:\u002F\u002Fprofiles.wordpress.org\u002Fikamal\u002F","\u003Cp>\u003Cstrong>WP REST API Key Authentication\u003C\u002Fstrong> adds a simple API key-based authentication method to the WordPress REST API. This plugin is perfect for developers who want to interact with the REST API securely without relying on complex OAuth authentication mechanisms.\u003C\u002Fp>\n\u003Ch3>Key Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Multiple API Keys\u003C\u002Fstrong>: Create and manage multiple API keys with custom names.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secure API Key Storage\u003C\u002Fstrong>: API keys are hashed and securely stored in the WordPress database.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Single Display for Security\u003C\u002Fstrong>: API keys are shown only once after creation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>REST API Access Control\u003C\u002Fstrong>: Authenticate requests by including an API key in the \u003Ccode>Authorization\u003C\u002Fcode> header.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin Interface\u003C\u002Fstrong>: Manage API keys with a user-friendly admin page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Copy to Clipboard Popup\u003C\u002Fstrong>: Easily copy generated API keys with a built-in popup.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The plugin is lightweight and integrates seamlessly with WordPress.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\n\u003Cp>\u003Cstrong>Generate an API Key\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Go to \u003Cstrong>API Keys\u003C\u002Fstrong> in the WordPress admin menu.\u003C\u002Fli>\n\u003Cli>Enter a name for the API key and click “Generate API Key”.\u003C\u002Fli>\n\u003Cli>The API key will appear in a popup. Copy it immediately, as it will not be displayed again.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Use the API Key\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Include the API key in the \u003Ccode>Authorization\u003C\u002Fcode> header of your REST API requests:\u003Cbr \u002F>\n \u003Ccode>Authorization: Bearer YOUR_API_KEY\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Delete API Keys\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>To revoke access, delete an API key from the \u003Cstrong>API Keys\u003C\u002Fstrong> admin page.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2 or later. See the License URI for details.\u003C\u002Fp>\n","A simple plugin to add API key-based authentication to the WordPress REST API. Manage multiple API keys and secure your REST API endpoints.",952,"2025-01-16T09:18:00.000Z","6.7.5","5.0","7.2",[20,51,52,24,53],"api-authentication","api-key","security","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frest-api-key-authentication.1.0.zip",92,{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":27,"downloaded":65,"rating":27,"num_ratings":27,"last_updated":66,"tested_up_to":16,"requires_at_least":67,"requires_php":68,"tags":69,"homepage":54,"download_link":71,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"headlesskey-jwt-auth","HeadlessKey – JWT Auth","1.0.0","Hidayat Mahetar","https:\u002F\u002Fprofiles.wordpress.org\u002Fhidayatsafewp\u002F","\u003Cp>\u003Cstrong>HeadlessKey – JWT Auth\u003C\u002Fstrong> extends the REST API to provide a robust and secure authentication system using JSON Web Tokens (JWT). Designed for Headless WordPress, it enables seamless user authentication, registration, and session management via standard REST endpoints.\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication\u003C\u002Fstrong>: Secure user authentication using industry-standard RFC 7519 tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Algorithms\u003C\u002Fstrong>: Support for \u003Ccode>HS256\u003C\u002Fcode>, \u003Ccode>RS256\u003C\u002Fcode>, and \u003Ccode>ES256\u003C\u002Fcode> signing algorithms.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Comprehensive Endpoints\u003C\u002Fstrong>: Ready-to-use endpoints for Login, Register, Token Refresh, and Password Management.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Single Sign-On (SSO)\u003C\u002Fstrong>: Connect multiple sites with a secure, headers-based SSO exchange mechanism.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role-Based Access Control (RBAC)\u003C\u002Fstrong>: Configure public or authenticated access for every endpoint.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Brute Force Protection\u003C\u002Fstrong>: Protects against attacks by locking users\u002FIPs after failed attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Activity Logs\u003C\u002Fstrong>: Detailed audit trail of all authentication events, including IP and device data.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Webhooks\u003C\u002Fstrong>: Real-time JSON events sent to your external services for monitoring key actions.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Device Limits\u003C\u002Fstrong>: Restrict the number of active devices\u002Fsessions per user.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Friendly\u003C\u002Fstrong>: Extensive hooks and filters for deep customization.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Ch3>Secret Key\u003C\u002Fh3>\n\u003Cp>The plugin uses a secret key to sign tokens. By default, a secure random key is generated. For better security and consistency across environments, define your key in \u003Ccode>wp-config.php\u003C\u002Fcode>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_SECRET_KEY', 'your-long-random-secure-string');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a strong salt here: \u003Ca href=\"https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\" rel=\"nofollow ugc\">WordPress Salt Generator\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>CORS Support\u003C\u002Fh3>\n\u003Cp>Cross-Origin Resource Sharing (CORS) is enabled by default to allow frontend applications to connect. To disable or customize it via constant:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_CORS', true); \u002F\u002F or false to disable\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST API Namespace\u003C\u002Fh3>\n\u003Cp>By default, endpoints are under \u003Ccode>wp-json\u002Fwpauthapi\u002Fv1\u003C\u002Fcode>. You can customize this namespace:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_REST_NAMESPACE', 'my-custom-auth');\ndefine('headlesskey_REST_VERSION', 'v2');\u003Ch3>Endpoints\u003C\u002Fh3>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The plugin adds the following endpoints under the \u003Ccode>\u002Fwp-json\u002Fheadlesskey\u002Fv1\u003C\u002Fcode> namespace:\u003C\u002Fp>\n\u003Cp>  Endpoint\u003Cbr \u002F>\n  HTTP Verb\u003Cbr \u002F>\n  Description\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Login\u003C\u002Fstrong>: Exchange username\u002Fpassword for a JWT.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Validate\u003C\u002Fstrong>: Check if a token validity.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Frefresh\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Refresh\u003C\u002Fstrong>: Exchange a valid token for a new one (rotation).\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Frevoke\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Logout\u003C\u002Fstrong>: Invalidate a specific token.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fregister\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Register\u003C\u002Fstrong>: Create a new user account.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Flogin\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Profile\u003C\u002Fstrong>: Login and get full user profile data in one request.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fforgot-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Recover\u003C\u002Fstrong>: Request a password reset via Link or OTP.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Freset-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Reset\u003C\u002Fstrong>: Set a new password using a token or OTP.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fchange-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Update\u003C\u002Fstrong>: Change password for authenticated user.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fsso\u002Fexchange\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>SSO\u003C\u002Fstrong>: Exchange a remote site token for a local session.\u003C\u002Fp>\n\u003Ch3>1. Login (Generate Token)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Authenticate a user and generate a JWT token.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"admin\",\u003Cbr \u002F>\n  \"password\": \"secret-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T10:00:00+00:00\",\u003Cbr \u002F>\n  \"expires_in\": 3600,\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\",\u003Cbr \u002F>\n    \"user_email\": \"admin@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"Administrator\",\u003Cbr \u002F>\n    \"roles\": [\"administrator\"]\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"refreshable\": true,\u003Cbr \u002F>\n  \"jti\": \"545086b9-450f-488b-a70d-3047d14d1101\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>2. Validate Token\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Validate if an existing token is valid.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"valid\": true,\u003Cbr \u002F>\n  \"data\": {\u003Cbr \u002F>\n    \"iss\": \"https:\u002F\u002Fexample.com\",\u003Cbr \u002F>\n    \"iat\": 1698393600,\u003Cbr \u002F>\n    \"exp\": 1698397200,\u003Cbr \u002F>\n    \"data\": {\u003Cbr \u002F>\n      \"ID\": 1,\u003Cbr \u002F>\n      \"user_login\": \"admin\"\u003Cbr \u002F>\n    }\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>3. Refresh Token\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Frefresh\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Rotate an expiring token for a fresh one.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.new...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T11:00:00+00:00\",\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\"\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"jti\": \"new-uuid-v4\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>4. Revoke Token (Logout)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Frevoke\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Invalidate a token immediately.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Token revoked successfully.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>5. Register User\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fregister\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Create a new user account.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"johndoe\",\u003Cbr \u002F>\n  \"email\": \"john@example.com\",\u003Cbr \u002F>\n  \"password\": \"secure-password\",\u003Cbr \u002F>\n  \"name\": \"John Doe\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"user_id\": 45,\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 45,\u003Cbr \u002F>\n    \"user_login\": \"johndoe\",\u003Cbr \u002F>\n    \"user_email\": \"john@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"John Doe\",\u003Cbr \u002F>\n    \"roles\": [\"subscriber\"]\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"token_response\": {\u003Cbr \u002F>\n    \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOi...\",\u003Cbr \u002F>\n    \"expiration\": \"2023-10-27T10:00:00+00:00\"\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>6. User Profile (Login Extended)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Flogin\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Alternative login endpoint that returns cleaner profile structure.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"admin\",\u003Cbr \u002F>\n  \"password\": \"secret-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T10:00:00+00:00\",\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\",\u003Cbr \u002F>\n    \"user_email\": \"admin@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"Administrator\",\u003Cbr \u002F>\n    \"roles\": [\"administrator\"]\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>7. Forgot Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fforgot-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Initiate password recovery. Note: \u003Ccode>delivery\u003C\u002Fcode> can be \u003Ccode>link\u003C\u002Fcode> or \u003Ccode>otp\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"login\": \"admin@example.com\",\u003Cbr \u002F>\n  \"delivery\": \"link\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password reset email sent.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>8. Reset Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Freset-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Reset password using the token sent via email or OTP.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request (Link method):\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"login\": \"admin@example.com\",\u003Cbr \u002F>\n  \"password\": \"new-secure-password\",\u003Cbr \u002F>\n  \"token\": \"generated-reset-key\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password updated successfully.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>9. Change Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fchange-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Change password for currently authenticated user. Requires \u003Ccode>Authorization\u003C\u002Fcode> header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Headers:\u003C\u002Fstrong>\u003Cbr \u002F>\n    Authorization: Bearer \u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"current_password\": \"old-password\",\u003Cbr \u002F>\n  \"new_password\": \"new-secure-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password changed successfully. Please login again.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>10. SSO Token Exchange\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fsso\u002Fexchange\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Securely exchange a token from a connected remote site for a local authentication session. This powers the distributed Single Sign-On network.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"site_key\": \"remote-site-id\",\u003Cbr \u002F>\n  \"token\": \"remote-jwt-token\",\u003Cbr \u002F>\n  \"signature\": \"hmac-sha256-signature\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\nReturns a standard \u003Cstrong>Login\u003C\u002Fstrong> response (Token + User Data) if the signature is valid.\u003C\u002Fp>\n","A complete authentication solution for Headless WordPress applications using JWT, supporting Registration, SSO, RBAC, and advanced Security features.",133,"2026-02-08T10:59:00.000Z","6.0","8.0",[21,22,70,24,53],"jwt","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fheadlesskey-jwt-auth.1.0.0.zip",{"slug":73,"name":74,"version":75,"author":76,"author_profile":77,"description":78,"short_description":79,"active_installs":80,"downloaded":81,"rating":82,"num_ratings":83,"last_updated":84,"tested_up_to":16,"requires_at_least":85,"requires_php":86,"tags":87,"homepage":91,"download_link":92,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"jwt-authentication-for-wp-rest-api","JWT Authentication for WP REST API","1.5.0","tmeister","https:\u002F\u002Fprofiles.wordpress.org\u002Ftmeister\u002F","\u003Cp>This plugin seamlessly extends the WP REST API, enabling robust and secure authentication using JSON Web Tokens (JWT). It provides a straightforward way to authenticate users via the REST API, returning a standard JWT upon successful login.\u003C\u002Fp>\n\u003Ch3>Key features of this free version include:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication:\u003C\u002Fstrong> Implements the industry-standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa> for secure claims representation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple Endpoints:\u003C\u002Fstrong> Offers clear \u003Ccode>\u002Ftoken\u003C\u002Fcode> and \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode> endpoints for generating and validating tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Secret Key:\u003C\u002Fstrong> Define your unique secret key via \u003Ccode>wp-config.php\u003C\u002Fcode> for secure token signing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optional CORS Support:\u003C\u002Fstrong> Easily enable Cross-Origin Resource Sharing support via a \u003Ccode>wp-config.php\u003C\u002Fcode> constant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Hooks:\u003C\u002Fstrong> Provides filters (\u003Ccode>jwt_auth_expire\u003C\u002Fcode>, \u003Ccode>jwt_auth_token_before_sign\u003C\u002Fcode>, etc.) for customizing token behavior.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.\u003C\u002Fp>\n\u003Cp>For users requiring more advanced capabilities such as multiple signing algorithms (RS256, ES256), token refresh\u002Frevocation, UI-based configuration, or priority support, consider checking out \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_link_soft\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Support and Requests:\u003C\u002Fstrong> Please use \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub Issues\u003C\u002Fa>. For priority support, consider upgrading to \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_support_link\" rel=\"nofollow ugc\">PRO\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>REQUIREMENTS\u003C\u002Fh3>\n\u003Ch4>WP REST API V2\u003C\u002Fh4>\n\u003Cp>This plugin was conceived to extend the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API V2\u003C\u002Fa> plugin features and, of course, was built on top of it.\u003C\u002Fp>\n\u003Cp>So, to use the \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> you need to install and activate \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>PHP\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Minimum PHP version: 7.4.0\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>PHP HTTP Authorization Header Enable\u003C\u002Fh3>\n\u003Cp>Most shared hosting providers have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPENGINE\u003C\u002Fh4>\n\u003Cp>For WPEngine hosting, you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>See https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1 for more details.\u003C\u002Fp>\n\u003Ch3>CONFIGURATION\u003C\u002Fh3>\n\u003Ch3>Configure the Secret Key\u003C\u002Fh3>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a secure key from: https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Looking for easier configuration?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=config_secret_key_link\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to manage all settings through a simple admin UI.\u003C\u002Fp>\n\u003Ch3>Configure CORS Support\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORS\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable CORS Support, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Finally, activate the plugin within your wp-admin.\u003C\u002Fp>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace:\u003C\u002Fp>\n\u003Cp>Endpoint | HTTP Verb\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fem> | POST\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need more functionality?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=endpoints_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> includes additional endpoints for token refresh and revocation.\u003C\u002Fp>\n\u003Ch3>USAGE\u003C\u002Fh3>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fh4>\n\u003Cp>This is the entry point for JWT Authentication.\u003C\u002Fp>\n\u003Cp>It validates the user credentials, \u003Cem>username\u003C\u002Fem> and \u003Cem>password\u003C\u002Fem>, and returns a token to use in future requests to the API if the authentication is correct, or an error if authentication fails.\u003C\u002Fp>\n\u003Cp>Sample Request Using AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>(function() {\n  var app = angular.module('jwtAuth', []);\n\n  app.controller('MainController', function($scope, $http) {\n    var apiHost = 'http:\u002F\u002Fyourdomain.com\u002Fwp-json';\n\n    $http.post(apiHost + '\u002Fjwt-auth\u002Fv1\u002Ftoken', {\n      username: 'admin',\n      password: 'password'\n    })\n    .then(function(response) {\n      console.log(response.data)\n    })\n    .catch(function(error) {\n      console.error('Error', error.data[0]);\n    });\n  });\n})();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Success Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9qd3QuZGV2IiwiaWF0IjoxNDM4NTcxMDUwLCJuYmYiOjE0Mzg1NzEwNTAsImV4cCI6MTQzOTE3NTg1MCwiZGF0YSI6eyJ1c2VyIjp7ImlkIjoiMSJ9fX0.YNe6AyWW4B7ZwfFE5wJ0O6qQ8QFcYizimDmBy6hCH_8\",\n  \"user_display_name\": \"admin\",\n  \"user_email\": \"admin@localhost.dev\",\n  \"user_nicename\": \"admin\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Error Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_failed\",\n  \"data\": {\n    \"status\": 403\n  },\n  \"message\": \"Invalid Credentials.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application, e.g., in a \u003Cstrong>cookie\u003C\u002Fstrong> or using \u003Cstrong>localStorage\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>From this point, you should pass this token with every API call.\u003C\u002Fp>\n\u003Cp>Sample Call Using The Authorization Header With AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>app.config(function($httpProvider) {\n  $httpProvider.interceptors.push(['$q', '$location', '$cookies', function($q, $location, $cookies) {\n    return {\n      'request': function(config) {\n        config.headers = config.headers || {};\n        \u002F\u002F Assume that you store the token in a cookie\n        var globals = $cookies.getObject('globals') || {};\n        \u002F\u002F If the cookie has the CurrentUser and the token\n        \u002F\u002F add the Authorization header in each request\n        if (globals.currentUser && globals.currentUser.token) {\n          config.headers.Authorization = 'Bearer ' + globals.currentUser.token;\n        }\n        return config;\n      }\n    };\n  }]);\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin will intercept every call to the server and will look for the Authorization Header. If the Authorization header is present, it will try to decode the token and will set the user according to the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as normal.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Sample Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fresource HTTP\u002F1.1\nHost: server.example.com\nAuthorization: Bearer mF_s9.B5f-4.1JqM\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>ERRORS\u003C\u002Fh3>\n\u003Cp>If the token is invalid, an error will be returned. Here are some sample errors:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Invalid Credentials\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_failed\",\n    \"message\": \"Invalid Credentials.\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Invalid Signature\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Signature verification failed\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Expired Token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Expired token\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Need advanced error tracking?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=errors_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> offers enhanced error tracking and monitoring capabilities.\u003C\u002Fp>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fh4>\n\u003Cp>This is a simple helper endpoint to validate a token. You only need to make a POST request with the Authorization header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Valid Token Response\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_valid_token\",\n  \"data\": {\n    \"status\": 200\n  }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>AVAILABLE HOOKS\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin is developer-friendly and provides five filters to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_cors_allow_headers\u003C\u002Fstrong> filter allows you to modify the available headers when CORS support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_not_before\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Creation time - time()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_expire\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_token_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_sign\u003C\u002Fstrong> filter allows you to modify all token data before it is encoded and signed.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = array(\n    'iss' => get_bloginfo('url'),\n    'iat' => $issuedAt,\n    'nbf' => $notBefore,\n    'exp' => $expire,\n    'data' => array(\n        'user' => array(\n            'id' => $user->data->ID,\n        )\n    )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Want easier customization?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=hook_payload_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to add custom claims directly through the admin UI.\u003C\u002Fp>\n\u003Ch4>jwt_auth_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_dispatch\u003C\u002Fstrong> filter allows you to modify the response array before it is sent to the client.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = array(\n    'token' => $token,\n    'user_email' => $user->data->user_email,\n    'user_nicename' => $user->data->user_nicename,\n    'user_display_name' => $user->data->display_name,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_algorithm\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_algorithm\u003C\u002Fstrong> filter allows you to modify the signing algorithm.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = JWT::encode(\n    apply_filters('jwt_auth_token_before_sign', $token, $user),\n    $secret_key,\n    apply_filters('jwt_auth_algorithm', 'HS256')\n);\n\n\u002F\u002F ...\n\n$token = JWT::decode(\n    $token,\n    new Key($secret_key, apply_filters('jwt_auth_algorithm', 'HS256'))\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>JWT Authentication PRO\u003C\u002Fh3>\n\u003Cp>Elevate your WordPress security and integration capabilities with \u003Cstrong>JWT Authentication PRO\u003C\u002Fstrong>. Building upon the solid foundation of the free version, the PRO version offers advanced features, enhanced security options, and a streamlined user experience:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Configuration UI:\u003C\u002Fstrong> Manage all settings directly from the WordPress admin area.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Endpoint:\u003C\u002Fstrong> Allow users to refresh expired tokens seamlessly without requiring re-login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation Endpoint:\u003C\u002Fstrong> Immediately invalidate specific tokens for enhanced security control.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Token Payload:\u003C\u002Fstrong> Add custom claims to your JWT payload to suit your specific application needs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular CORS Control:\u003C\u002Fstrong> Define allowed origins and headers with more precision directly in the settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Protect your endpoints from abuse with configurable rate limits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Audit Logs:\u003C\u002Fstrong> Keep track of token generation, validation, and errors.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Priority Support:\u003C\u002Fstrong> Get faster, dedicated support directly from the developer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=pro_section_cta\" rel=\"nofollow ugc\">Upgrade to JWT Authentication PRO Today!\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Free vs. PRO Comparison\u003C\u002Fh3>\n\u003Cp>Here’s a quick look at the key differences:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Basic JWT Authentication:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Generation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Validation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Mechanism:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Management Dashboard:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Analytics & Monitoring:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geo-IP Identification:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Documentation:\u003C\u002Fstrong> Basic (Free), Comprehensive (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Tools:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support:\u003C\u002Fstrong> Community via GitHub (Free), Priority Direct Support (PRO)\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.",60000,893830,88,53,"2026-02-18T00:58:00.000Z","4.2","7.4.0",[88,70,89,24,90],"json-web-authentication","oauth","wp-api","https:\u002F\u002Fenriquechavez.co","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authentication-for-wp-rest-api.1.5.0.zip",{"slug":94,"name":95,"version":96,"author":97,"author_profile":98,"description":99,"short_description":100,"active_installs":101,"downloaded":102,"rating":103,"num_ratings":104,"last_updated":105,"tested_up_to":16,"requires_at_least":67,"requires_php":18,"tags":106,"homepage":110,"download_link":111,"security_score":112,"vuln_count":113,"unpatched_count":27,"last_vuln_date":114,"fetched_at":29},"wp-graphql","WPGraphQL","2.10.0","Jason Bahl","https:\u002F\u002Fprofiles.wordpress.org\u002Fjasonbahl\u002F","\u003Cp>WPGraphQL is a free, open-source WordPress plugin that provides an extendable GraphQL schema and API for any WordPress site.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Get Started\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Col>\n\u003Cli>Install WPGraphQL: \u003Ccode>wp plugin install wp-graphql --activate\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Try it out: \u003Ca href=\"https:\u002F\u002Frepl.wpgraphql.com\" rel=\"nofollow ugc\">Live Demo\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Read the \u003Ca href=\"https:\u002F\u002Fwpgraphql.com\u002Fdocs\u002Fquick-start\" rel=\"nofollow ugc\">Quick Start Guide\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>Join the \u003Ca href=\"https:\u002F\u002Fdiscord.gg\u002FAGVBqqyaUY\" rel=\"nofollow ugc\">Community on Discord\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fwp-graphql\u002Fwp-graphql\" rel=\"nofollow ugc\">Star the Repo\u003C\u002Fa>!\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>\u003Cstrong>Key Features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Flexible API\u003C\u002Fstrong>: Query posts, pages, custom post types, taxonomies, users, and more.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Extendable Schema\u003C\u002Fstrong>: Easily add functionality with WPGraphQL’s API, enabling custom integrations.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatible with Modern Frameworks\u003C\u002Fstrong>: Works seamlessly with \u003Ca href=\"https:\u002F\u002Fvercel.com\u002Fguides\u002Fwordpress-with-vercel\" rel=\"nofollow ugc\">Next.js\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fdocs.astro.build\u002Fen\u002Fguides\u002Fcms\u002Fwordpress\u002F\" rel=\"nofollow ugc\">Astro\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.okupter.com\u002Fblog\u002Fheadless-wordpress-graphql-sveltekit\" rel=\"nofollow ugc\">SvelteKit\u003C\u002Fa>, and more.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optimized Performance\u003C\u002Fstrong>: Fetch exactly the data you need in a single query. Boost performance with \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fwp-graphql\u002Fwp-graphql\u002Ftree\u002Fmain\u002Fplugins\u002Fwp-graphql-smart-cache\" rel=\"nofollow ugc\">WPGraphQL Smart Cache\u003C\u002Fa>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>WPGraphQL is becoming a \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fnews\u002F2024\u002F10\u002Fwpgraphql\u002F\" rel=\"ugc\">Canonical Plugin\u003C\u002Fa> on WordPress.org, ensuring long-term support and a growing community of users and contributors.\u003C\u002Fp>\n\u003Ch4>Upgrading\u003C\u002Fh4>\n\u003Cp>It is recommended that anytime you want to update WPGraphQL that you get familiar with what’s changed in the release.\u003C\u002Fp>\n\u003Cp>WPGraphQL publishes \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fwp-graphql\u002Fwp-graphql\u002Freleases\" rel=\"nofollow ugc\">release notes on Github\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>WPGraphQL has been following Semver practices for a few years. We will continue to follow Semver and let version numbers communicate meaning. The summary of Semver versioning is as follows:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>MAJOR\u003C\u002Fem> version when you make incompatible API changes,\u003C\u002Fli>\n\u003Cli>\u003Cem>MINOR\u003C\u002Fem> version when you add functionality in a backwards compatible manner, and\u003C\u002Fli>\n\u003Cli>\u003Cem>PATCH\u003C\u002Fem> version when you make backwards compatible bug fixes.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can read more about the details of Semver at semver.org\u003C\u002Fp>\n\u003Ch3>Privacy Policy\u003C\u002Fh3>\n\u003Cp>WPGraphQL uses \u003Ca href=\"https:\u002F\u002Fappsero.com\" rel=\"nofollow ugc\">Appsero\u003C\u002Fa> SDK to collect some telemetry data upon user’s confirmation. This helps us to troubleshoot problems faster and make product improvements.\u003C\u002Fp>\n\u003Cp>Appsero SDK \u003Cstrong>does not gather any data by default.\u003C\u002Fstrong> The SDK starts gathering basic telemetry data \u003Cstrong>only when a user allows it via the admin notice\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Learn more about how \u003Ca href=\"https:\u002F\u002Fappsero.com\u002Fprivacy-policy\u002F\" rel=\"nofollow ugc\">Appsero collects and uses this data\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Learn more about how \u003Ca href=\"https:\u002F\u002Fappsero.com\u002Fprivacy-policy\u002F\" rel=\"nofollow ugc\">Appsero collects and uses this data\u003C\u002Fa>.\u003C\u002Fp>\n","WPGraphQL adds a flexible and powerful GraphQL API to WordPress, enabling efficient querying and interaction with your site's data.",30000,1384379,98,48,"2026-03-11T22:53:00.000Z",[107,108,22,109,24],"decoupled","graphql","react","https:\u002F\u002Fgithub.com\u002Fwp-graphql\u002Fwp-graphql","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-graphql.2.10.0.zip",95,6,"2023-06-28 00:00:00",{"slug":116,"name":117,"version":118,"author":119,"author_profile":120,"description":121,"short_description":122,"active_installs":123,"downloaded":124,"rating":82,"num_ratings":125,"last_updated":126,"tested_up_to":16,"requires_at_least":127,"requires_php":128,"tags":129,"homepage":133,"download_link":134,"security_score":135,"vuln_count":14,"unpatched_count":27,"last_vuln_date":136,"fetched_at":29},"wp-rest-api-authentication","JWT Authentication for WP REST APIs","4.3.0","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cp>\u003Cstrong>WordPress REST API endpoints\u003C\u002Fstrong> are \u003Cstrong>open and unsecured by default\u003C\u002Fstrong> which can be used to access your site data. Secure WordPress APIs from unauthorized users with our \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication\" rel=\"nofollow ugc\">JWT Authentication for WP REST APIs plugin\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Our plugin offers below authentication methods to \u003Cstrong>Protect WP REST API endpoints\u003C\u002Fstrong>:\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– External Token based Authentication 2.0\u002FOIDC\u002FJWT\u002F\u003Ca href=\"https:\u002F\u002Ffirebase.google.com\u002Fdocs\u002Fauth\u002Fadmin\u002Fcreate-custom-tokens\" rel=\"nofollow ugc\">Firebase\u003C\u002Fa> provider’s token authentication methods.\u003C\u002Fp>\n\u003Cp>You can authenticate default WordPress endpoints and custom-developed REST endpoints and third-party plugin REST API endpoints like that of \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwoocommerce\u002F\" rel=\"ugc\">Woocommerce\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.learndash.com\u002F\" rel=\"nofollow ugc\">Learndash\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbuddypress\u002F\" rel=\"ugc\">Buddypress\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.gravityforms.com\u002F\" rel=\"nofollow ugc\">Gravity Forms\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcart-rest-api-for-woocommerce\u002F\" rel=\"ugc\">CoCart\u003C\u002Fa>, etc.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FIsyKI7eEV-I?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&start=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch3>WP REST API Authentication Methods in our plugin\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method#step_a1\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\nProvides an endpoint where you can pass the user credentials, and it will generate a JWT (JSON Web Token), which you can use to access the WordPress REST APIs accordingly.\u003Cbr \u002F>\nAdditionally, to maintain a seamless user experience without frequent logins needed due to token expiry, you can use our \u003Cem>Refresh and Revoke token\u003C\u002Fem> mechanisms feature.\u003Cbr \u002F>\nWhen the access token expires, instead of forcing the user to log in again, the client can request a new access token using a valid refresh token.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method#step_a\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>:\u003Cbr \u002F>\n        – 1. \u003Cstrong>Username: Password\u003C\u002Fstrong>\u003Cbr \u002F>\n        – 2. \u003Cstrong>Client-ID: Client-Secret\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method#step_a\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n        – 1. \u003Cstrong>Password Grant\u003C\u002Fstrong>\u003Cbr \u002F>\n            – 2. \u003Cstrong>Client Credentials Grant\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication-using-third-party-provider#step_a\" rel=\"nofollow ugc\">Third Party Provider Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Following are some of the integrations that are possible with WP REST API Authentication:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Learndash API Authentication\u003C\u002Fli>\n\u003Cli>Custom Built REST API Endpoints Authentication\u003C\u002Fli>\n\u003Cli>BuddyPress API Authentication\u003C\u002Fli>\n\u003Cli>WooCommerce API Authentication\u003C\u002Fli>\n\u003Cli>Gravity Form API Authentication\u003C\u002Fli>\n\u003Cli>External\u002FThird-party plugin API endpoints integration in WordPress\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can also disable the WP REST APIs with our plugin such that no one can make API calls to your WordPress REST API endpoints.Our plugin also provides \u003Cstrong>Refresh and Revoke Token\u003C\u002Fstrong> that can be used to improve the API security.\u003C\u002Fp>\n\u003Ch3>Benefits of Refresh Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Enhances security by keeping access tokens short-lived.\u003C\u002Fli>\n\u003Cli>Improves user experience with uninterrupted sessions.\u003C\u002Fli>\n\u003Cli>Reduces login frequency.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Benefits of Revoke Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Protects against token misuse if a device is lost or compromised.\u003C\u002Fli>\n\u003Cli>Enables admin-triggered logouts or session control.\u003C\u002Fli>\n\u003Cli>Useful for complying with stricter session policies.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>With this plugin, the user is allowed to access your site’s resources only after successful WP REST API authentication. JWT Authentication for WP REST APIs plugin will make your \u003Cstrong>WordPress endpoints secure from unauthorized access.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Plugin Feature List\u003C\u002Fh3>\n\u003Ch3>FREE PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate only default core WordPress REST API endpoints.\u003C\u002Fli>\n\u003Cli>Basic Authentication with username and password.\u003C\u002Fli>\n\u003Cli>JWT Authentication (JSON Web Token Authentication).\u003C\u002Fli>\n\u003Cli>Enable Selective API protection.\u003C\u002Fli>\n\u003Cli>Restrict non-logged-in users to access REST API endpoints.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>PREMIUM PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate all REST API endpoints (Default WP, Custom APIs,Third-Party plugins)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>JWT Token Authentication\u003C\u002Fstrong> (JSON Web Token Authentication)\u003C\u002Fli>\n\u003Cli>Login, Refresh and Revoke token endpoints for token management\u003C\u002Fli>\n\u003Cli>API Key Authentication\u003C\u002Fli>\n\u003Cli>Basic Authentication (username\u002Fpassword and email\u002Fpassword)\u003C\u002Fli>\n\u003Cli>OAuth 2.0 Authentication\u003C\u002Fli>\n\u003Cli>Universal API key and User-specific API key for authentication\u003C\u002Fli>\n\u003Cli>Selective API protection.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003Cli>Time-based token expiry\u003C\u002Fli>\n\u003Cli>Role-based WP REST API authentication\u003C\u002Fli>\n\u003Cli>Custom Header support rather than just \u003Cem>Authorization\u003C\u002Fem> to increase security.\u003C\u002Fli>\n\u003Cli>Create users in WordPress based on third-party provider access tokens (JWT tokens) authentication.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin does not store any user data.\u003C\u002Fp>\n","Secure and protect WordPress REST API from unauthorized access using JWT token, Basic Authentication, API Key, OAuth 2, or external token.",20000,490496,73,"2026-02-09T05:11:00.000Z","3.0.1","5.6",[52,130,131,24,132],"jwt-authentication","rest","secure-api","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-rest-api-authentication","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rest-api-authentication.4.3.0.zip",97,"2025-04-16 00:00:00",{"attackSurface":138,"codeSignals":173,"taintFlows":185,"riskAssessment":186,"analyzedAt":194},{"hooks":139,"ajaxHandlers":169,"restRoutes":170,"shortcodes":171,"cronEvents":172,"entryPointCount":27,"unprotectedCount":27},[140,146,152,156,160,165],{"type":141,"name":142,"callback":143,"file":144,"line":145},"action","admin_menu","hras_add_admin_menu","includes\\admin-menu.php",5,{"type":147,"name":148,"callback":149,"priority":150,"file":151,"line":113},"filter","rest_authentication_errors","hras_restrict_rest_api",99,"includes\\api-auth.php",{"type":141,"name":153,"callback":154,"file":155,"line":113},"template_redirect","hras_trigger_headless_redirect","includes\\headless-redirect.php",{"type":147,"name":157,"callback":158,"file":155,"line":159},"allowed_redirect_hosts","closure",40,{"type":141,"name":161,"callback":162,"file":163,"line":164},"admin_enqueue_scripts","hras_enqueue_assets","includes\\settings.php",46,{"type":141,"name":166,"callback":167,"file":163,"line":168},"admin_init","hras_register_settings",51,[],[],[],[],{"dangerousFunctions":174,"sqlUsage":175,"outputEscaping":177,"fileOperations":27,"externalRequests":27,"nonceChecks":27,"capabilityChecks":14,"bundledLibraries":184},[],{"prepared":27,"raw":27,"locations":176},[],{"escaped":178,"rawEcho":179,"locations":180},26,1,[181],{"file":163,"line":182,"context":183},93,"raw output",[],[],{"summary":187,"deductions":188},"The \"headless-rest-api-security\" v2.2 plugin exhibits a strong security posture based on the provided static analysis. The absence of any identified attack surface points like AJAX handlers, REST API routes, shortcodes, or cron events significantly limits the plugin's potential exposure to external threats.  Furthermore, the code signals indicate robust security practices, including no dangerous functions, all SQL queries utilizing prepared statements, and a very high percentage of properly escaped output.  The lack of file operations and external HTTP requests also reduces common attack vectors.  The vulnerability history is clean, with no recorded CVEs, which suggests a well-maintained and secure codebase over time.  \n\nHowever, the static analysis reveals a complete absence of nonce checks and a low number of capability checks (2), which could be a concern depending on the plugin's intended functionality. If the plugin handles sensitive data or performs critical actions, the lack of these common WordPress security mechanisms leaves it vulnerable to certain types of attacks, such as Cross-Site Request Forgery (CSRF) if not properly handled by the frontend application. The taint analysis showing zero flows, while positive, might be due to the limited scope of analysis or the plugin's minimal functionality.  Overall, the plugin is well-written regarding common vulnerabilities, but the lack of explicit nonce and robust capability checks warrants attention, especially if it's intended for more than basic utility.",[189,191],{"reason":190,"points":145},"Missing nonce checks",{"reason":192,"points":193},"Limited capability checks",3,"2026-03-16T22:50:48.260Z",{"wat":196,"direct":203},{"assetPaths":197,"generatorPatterns":199,"scriptPaths":200,"versionParams":201},[198],"\u002Fwp-content\u002Fplugins\u002Fheadless-rest-api-security\u002Fincludes\u002Fadmin.css",[],[],[202],"headless-rest-api-security\u002Fincludes\u002Fadmin.css?ver=2.2",{"cssClasses":204,"htmlComments":214,"htmlAttributes":215,"restEndpoints":221,"jsGlobals":226,"shortcodeOutput":229},[205,206,207,208,209,210,211,212,213],"hras-row","row-master-toggle","method-check","active-row","hras-table-wrapper","hras-table","route-header","allow-header","method-header",[],[216,217,218,219,220],"name=\"hras_enabled\"","name=\"hras_headless_redirect\"","name=\"hras_api_key\"","name=\"hras_allowed_domain\"","name=\"hras_whitelisted_routes\"",[222,223,224,225],"\u002Fwp\u002Fv2\u002Fposts","\u002Fwp\u002Fv2\u002Fpages","\u002Fwp\u002Fv2\u002Fusers","\u002Fwp\u002Fv2",[227,228],"window.addEventListener","document.addEventListener",[]]