[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzBbuzpkrPzkWUrkRIb7mlUKMp5PwOp84ExFiyuGmKoY":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":23,"download_link":24,"security_score":25,"vuln_count":26,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":47,"crawl_stats":36,"alternatives":54,"analysis":152,"fingerprints":294},"jwt-auth","JWT Auth – WordPress JSON Web Token Authentication","3.0.2","Bagus","https:\u002F\u002Fprofiles.wordpress.org\u002Fcontactjavas\u002F","\u003Cp>WordPress JSON Web Token Authentication allows you to do REST API authentication via token. It is a simple, non-complex, and easy to use. This plugin probably is the most convenient way to do JWT Authentication in WordPress.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Support & question: \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fjwt-auth\u002F\" rel=\"ugc\">WordPress support forum\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Reporting plugin’s bug: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub issues tracker\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdiscord.gg\u002FDgECpEg\" rel=\"nofollow ugc\">Discord channel\u003C\u002Fa> also available for faster response.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Upgrading to v3\u003C\u002Fh3>\n\u003Cp>When updating from v2 to v3, familiarise yourself with its changes to ensure that your site continues to work as expected:\u003C\u002Fp>\n\u003Ch4>New: Refresh tokens ([docs](https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth#refreshing-the-access-token))\u003C\u002Fh4>\n\u003Cp>Key changes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Default JWT access token expiry time has been reduced from 7 days to 10 minutes.\u003C\u002Fli>\n\u003Cli>On expiry of a JWT, clients need to retrieve a new access token using the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth#refreshing-the-access-token\" rel=\"nofollow ugc\">refresh token as described here\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>To retain the 7 day expiry time, use the hook \u003Ccode>jwt_auth_expire\u003C\u002Fcode>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Removed Whitelist\u003C\u002Fh4>\n\u003Cp>Key changes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>You no longer need to whitelist REST paths from other plugins with the hook \u003Ccode>jwt_auth_whitelist\u003C\u002Fcode>. You can remove the hook.\u003C\u002Fli>\n\u003Cli>Instead, custom REST API routes should have access requirements specified with the \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002Fextending-the-rest-api\u002Fadding-custom-endpoints\u002F#permissions-callback\" rel=\"nofollow ugc\">permissions callback\u003C\u002Fa> when it is registered.\u003C\u002Fli>\n\u003Cli>This means that if a route requires authentication, any authentication method can be used and this should reduce conflicts between this and other plugins. See \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fpull\u002F60\" rel=\"nofollow ugc\">this discussion\u003C\u002Fa> for further information.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Enable PHP HTTP Authorization Header\u003C\u002Fh3>\n\u003Ch4>Shared Hosts\u003C\u002Fh4>\n\u003Cp>Most shared hosts have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPEngine\u003C\u002Fh4>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following (see \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1\" rel=\"nofollow ugc\">this issue\u003C\u002Fa>):\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Ch4>Configurate the Secret Key\u003C\u002Fh4>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never be revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can use a string from \u003Ca href=\"https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\" rel=\"nofollow ugc\">here\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Configurate CORs Support\u003C\u002Fh4>\n\u003Cp>This plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORs\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable the CORs Support edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, three new \u003Cem>POST\u003C\u002Fem> endpoints are added to this namespace.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\n\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Requesting\u002F Generating Token\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>To generate token, submit a POST request to this endpoint. With \u003Ccode>username\u003C\u002Fcode> and \u003Ccode>password\u003C\u002Fcode> as the parameters.\u003C\u002Fp>\n\u003Cp>It will validates the user credentials, and returns success response including a token if the authentication is correct or returns an error response if the authentication is failed.\u003C\u002Fp>\n\u003Cp>You can use the optional parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to let user manage the device access in your profile. If this parameter is empty, it is ignored.\u003C\u002Fp>\n\u003Ch4>Sample of success response when trying to generate token:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": true,\n \"statusCode\": 200,\n \"code\": \"jwt_auth_valid_credential\",\n \"message\": \"Credential is valid\",\n \"data\": {\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvcG9pbnRzLmNvdXZlZS5jby5pZCIsImlhdCI6MTU4ODQ5OTE0OSwibmJmIjoxNTg4NDk5MTQ5LCJleHAiOjE1ODkxMDM5NDksImRhdGEiOnsidXNlciI6eyJpZCI6MX19fQ.w3pf5PslhviHohmiGF-JlPZV00XWE9c2MfvBK7Su9Fw\",\n \"id\": 1,\n \"email\": \"contactjavas@gmail.com\",\n \"nicename\": \"contactjavas\",\n \"firstName\": \"Bagus Javas\",\n \"lastName\": \"Heruyanto\",\n \"displayName\": \"contactjavas\"\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of error response when trying to generate token:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"invalid_username\",\n \"message\": \"Unknown username. Try again or check your email address.\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application. It can be:\u003Cbr \u002F>\n– using \u003Cstrong>cookie\u003C\u002Fstrong>\u003Cbr \u002F>\n– or using \u003Cstrong>localstorage\u003C\u002Fstrong>\u003Cbr \u002F>\n– or using a wrapper like \u003Ca href=\"https:\u002F\u002Flocalforage.github.io\u002FlocalForage\u002F\" rel=\"nofollow ugc\">localForage\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fpouchdb.com\u002F\" rel=\"nofollow ugc\">PouchDB\u003C\u002Fa>\u003Cbr \u002F>\n– or using local database like SQLite or \u003Ca href=\"https:\u002F\u002Fdocs.hivedb.dev\u002F#\u002F\" rel=\"nofollow ugc\">Hive\u003C\u002Fa>\u003Cbr \u002F>\n– or your choice based on app you develop 😉\u003C\u002Fp>\n\u003Cp>Then you should pass this token as \u003Cem>Bearer Authentication\u003C\u002Fem> header to every API call. The header format is:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Authorization: Bearer your-generated-token\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>and here’s an example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\"Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvcG9pbnRzLmNvdXZlZS5jby5pZCIsImlhdCI6MTU4ODQ5OTE0OSwibmJmIjoxNTg4NDk5MTQ5LCJleHAiOjE1ODkxMDM5NDksImRhdGEiOnsidXNlciI6eyJpZCI6MX19fQ.w3pf5PslhviHohmiGF-JlPZV00XWE9c2MfvBK7Su9Fw\";\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>jwt-auth\u003C\u002Fstrong> will intercept every call to the server and will look for the authorization header, if the authorization header is present, it will try to decode the token and will set the user according with the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as always.\u003C\u002Fp>\n\u003Ch3>Validating Token\u003C\u002Fh3>\n\u003Cp>You likely \u003Cstrong>don’t need\u003C\u002Fstrong> to validate the token your self. The plugin handle it for you like explained above.\u003C\u002Fp>\n\u003Cp>But if you want to test or validate the token manually, then send a \u003Cstrong>POST\u003C\u002Fstrong> request to this endpoint (don’t forget to set your \u003Cem>Bearer Authorization\u003C\u002Fem> header):\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Valid Token Response:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": true,\n \"statusCode\": 200,\n \"code\": \"jwt_auth_valid_token\",\n \"message\": \"Token is valid\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Refreshing the Access Token\u003C\u002Fh3>\n\u003Cp>For security reasons, third-party applications that are integrating with your authentication server will not store the user’s username and password. Instead they will store the refresh token in a user-specific storage that is only accessible for the user. The refresh token can be used to re-authenticate as the same user and generate a new access token.\u003C\u002Fp>\n\u003Cp>When authenticating with \u003Ccode>username\u003C\u002Fcode> and \u003Ccode>password\u003C\u002Fcode> as the parameters to \u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fcode>, a refresh token is sent as a cookie in the response.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>To generate new access token using the refresh token, submit a POST request to the token endpoint together with the \u003Ccode>refresh_token\u003C\u002Fcode> cookie.\u003C\u002Fp>\n\u003Cp>Use the optional parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to associate the token with that device.\u003C\u002Fp>\n\u003Cp>If the refresh token is valid, then you receive a new access token in the response.\u003C\u002Fp>\n\u003Cp>By default, each access token expires after 10 minutes.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>To generate new refresh token using the refresh token, submit a POST request to the token refresh endpoint together with the \u003Ccode>refresh_token\u003C\u002Fcode> cookie.\u003C\u002Fp>\n\u003Cp>Use the optional parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to associate the refresh token with that device.\u003C\u002Fp>\n\u003Cp>If the refresh token is valid, then you receive a new refresh token as a cookie in the response.\u003C\u002Fp>\n\u003Cp>By default, each refresh token expires after 30 days.\u003C\u002Fp>\n\u003Ch4>Refresh Token Rotation\u003C\u002Fh4>\n\u003Cp>Whenever you are authenticating afresh or refreshing the refresh token, only the last issued refresh token remains valid. All previously issued refresh tokens can no longer be used.\u003C\u002Fp>\n\u003Cp>This means that a refresh token cannot be shared. To allow multiple devices to authenticate in parallel without losing access after another device re-authenticated, use the parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to associate the refresh token only with that device.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl -F device=\"abc-def\" -F username=myuser -F password=mypass \u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\n\ncurl -F device=\"abc-def\" -b \"refresh_token=123.abcdef...\" \u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\n\ncurl -F device=\"abc-def\" -b \"refresh_token=123.abcdef...\" \u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Errors\u003C\u002Fh3>\n\u003Cp>If the token is invalid an error will be returned. Here are some samples of errors:\u003C\u002Fp>\n\u003Ch4>No Secret Key\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_bad_config\",\n \"message\": \"JWT is not configured properly.\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>No HTTP_AUTHORIZATION Header\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_no_auth_header\",\n \"message\": \"Authorization header not found.\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Iss\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_bad_iss\",\n \"message\": \"The iss do not match with this server.\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Signature\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_invalid_token\",\n \"message\": \"Signature verification failed\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Incomplete Payload\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_bad_request\",\n \"message\": \"User ID not found in the token.\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>User Not Found\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_user_not_found\",\n \"message\": \"User doesn't exist\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Expired Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_invalid_token\",\n \"message\": \"Expired token\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Obsolete Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_obsolete_token\",\n \"message\": \"Token is obsolete\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Refresh Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 401,\n \"code\": \"jwt_auth_invalid_refresh_token\",\n \"message\": \"Invalid refresh token\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Obsolete Refresh Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 401,\n \"code\": \"jwt_auth_obsolete_refresh_token\",\n \"message\": \"Refresh token is obsolete\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Expired Refresh Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 401,\n \"code\": \"jwt_auth_expired_refresh_token\",\n \"message\": \"Refresh token has expired\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Available Filter Hooks\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>JWT Auth\u003C\u002Fstrong> is developer friendly and has some filters available to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_cors_allow_headers\u003C\u002Fcode> allows you to modify the available headers when the CORs support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'X-Requested-With, Content-Type, Accept, Origin, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the allowed CORS headers.\n *\n * @param string $headers The allowed headers.\n * @return string The allowed headers.\n *\u002F\nadd_filter(\n 'jwt_auth_cors_allow_headers',\n function ( $headers ) {\n \u002F\u002F Modify the headers here.\n return $headers;\n }\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_iss\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_iss\u003C\u002Fstrong> allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.1\" rel=\"nofollow ugc\">\u003Cstrong>iss\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>get_bloginfo( 'url' )\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token issuer.\n *\n * @param string $iss The token issuer.\n * @return string The token issuer.\n *\u002F\nadd_filter(\n 'jwt_auth_iss',\n function ( $iss ) {\n \u002F\u002F Modify the \"iss\" here.\n return $iss;\n }\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_not_before\u003C\u002Fcode> allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F\u002F Creation time.\ntime()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's nbf value.\n *\n * @param int $not_before The default \"nbf\" value in timestamp.\n * @param int $issued_at The \"iat\" value in timestamp.\n *\n * @return int The \"nbf\" value.\n *\u002F\nadd_filter(\n 'jwt_auth_not_before',\n function ( $not_before, $issued_at ) {\n \u002F\u002F Modify the \"not_before\" here.\n return $not_before;\n },\n 10,\n 2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_expire\u003C\u002Fcode> allows you to change the value \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's expire value.\n *\n * @param int $expire The default \"exp\" value in timestamp.\n * @param int $issued_at The \"iat\" value in timestamp.\n *\n * @return int The \"nbf\" value.\n *\u002F\nadd_filter(\n 'jwt_auth_expire',\n function ( $expire, $issued_at ) {\n \u002F\u002F Modify the \"expire\" here.\n return $expire;\n },\n 10,\n 2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_refresh_expire\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_refresh_expire\u003C\u002Fcode> filter hook allows you to change the expiration date of the refresh token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 30)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the refresh token's expiration time.\n *\n * @param int $expire The default expiration timestamp.\n * @param int $issued_at The current time.\n *\n * @return int The custom refresh token expiration timestamp.\n *\u002F\nadd_filter(\n 'jwt_auth_refresh_expire',\n function ( $expire, $issued_at ) {\n \u002F\u002F Modify the \"expire\" here.\n return $expire;\n },\n 10,\n 2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_alg\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_alg\u003C\u002Fcode> allows you to change the supported signing \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-jose-json-web-algorithms-40\" rel=\"nofollow ugc\">algorithm\u003C\u002Fa> for your application.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'HS256'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's signing algorithm.\n *\n * @param string $alg The default supported signing algorithm.\n * @return string The supported signing algorithm.\n *\u002F\nadd_filter(\n 'jwt_auth_alg',\n function ( $alg ) {\n \u002F\u002F Change the signing algorithm here.\n return $alg;\n }\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_payload\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_payload\u003C\u002Fcode> allows you to modify all the payload \u002F token data before being encoded and signed.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n$token = array(\n 'iss' => get_bloginfo('url'),\n 'iat' => $issued_at,\n 'nbf' => $not_before,\n 'exp' => $expire,\n 'data' => array(\n 'user' => array(\n 'id' => $user->ID,\n )\n )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the payload\u002F token's data before being encoded & signed.\n *\n * @param array $payload The default payload\n * @param WP_User $user The authenticated user.\n * .\n * @return array The payload\u002F token's data.\n *\u002F\nadd_filter(\n 'jwt_auth_payload',\n function ( $payload, $user ) {\n \u002F\u002F Modify the payload here.\n return $payload;\n },\n 10,\n 2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_valid_credential_response\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_valid_credential_response\u003C\u002Fcode> allows you to modify the valid credential response when generating a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n$response = array(\n 'success' => true,\n 'statusCode' => 200,\n 'code' => 'jwt_auth_valid_credential',\n 'message' => __( 'Credential is valid', 'jwt-auth' ),\n 'data' => array(\n 'token' => $token,\n 'id' => $user->ID,\n 'email' => $user->user_email,\n 'nicename' => $user->user_nicename,\n 'firstName' => $user->first_name,\n 'lastName' => $user->last_name,\n 'displayName' => $user->display_name,\n ),\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the response of valid credential.\n *\n * @param array $response The default valid credential response.\n * @param WP_User $user The authenticated user.\n * .\n * @return array The valid credential response.\n *\u002F\nadd_filter(\n 'jwt_auth_valid_credential_response',\n function ( $response, $user ) {\n \u002F\u002F Modify the response here.\n return $response;\n },\n 10,\n 2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>jwt_auth_valid_token_response\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>jwt_auth_valid_token_response\u003C\u002Fstrong> allows you to modify the valid token response when validating a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n$response = array(\n 'success' => true,\n 'statusCode' => 200,\n 'code' => 'jwt_auth_valid_token',\n 'message' => __( 'Token is valid', 'jwt-auth' ),\n 'data' => array(),\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the response of valid token.\n *\n * @param array $response The default valid token response.\n * @param WP_User $user The authenticated user.\n * @param string $token The raw token.\n * @param array $payload The token data.\n * .\n * @return array The valid token response.\n *\u002F\nadd_filter(\n 'jwt_auth_valid_token_response',\n function ( $response, $user, $token, $payload ) {\n \u002F\u002F Modify the response here.\n return $response;\n },\n 10,\n 4\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>jwt_auth_extra_token_check\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>jwt_auth_extra_token_check\u003C\u002Fstrong> allows you to add extra criterias to validate the token. If empty, has no problem to proceed. Use empty value to bypass the filter. Any other value will block the token access and returns response with code \u003Ccode>jwt_auth_obsolete_token\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>''\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the validation of token. No-empty values block token validation.\n *\n * @param array $response An empty value ''.\n * @param WP_User $user The authenticated user.\n * @param string $token The raw token.\n * @param array $payload The token data.\n * .\n * @return array The valid token response.\n *\u002F\nadd_filter(\n 'jwt_auth_extra_token_check',\n function ( $response, $user, $token, $payload ) {\n \u002F\u002F Modify the response here.\n return $response;\n },\n 10,\n 4\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffirebase\u002Fphp-jwt\" rel=\"nofollow ugc\">PHP-JWT from firebase\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjwt-authentication-for-wp-rest-api\u002F\" rel=\"ugc\">JWT Authentication for WP REST API\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fpesseba\" rel=\"nofollow ugc\">Devices utility by pesseba\u003C\u002Fa>\u003Cbr \u002F>\nThe \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fcollaborators\" rel=\"nofollow ugc\">awesome maintainers\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fgraphs\u002Fcontributors\" rel=\"nofollow ugc\">contributors\u003C\u002Fa>\u003C\u002Fp>\n","Create JSON Web Token Authentication in WordPress.",6000,103837,100,22,"2024-05-07T21:38:00.000Z","6.5.8","5.2","7.2",[20,21,4,22],"json-web-token","jwt","token-authentication","https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-auth.zip",90,1,0,"2022-11-11 00:00:00","2026-03-15T15:16:48.613Z",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":38,"severity":39,"cvss_score":40,"cvss_vector":41,"vuln_type":42,"published_date":28,"updated_date":43,"references":44,"days_to_patch":46},"CVE-2021-46743","firebase-php-jwt-algorithm-confusion","Firebase PHP-JWT \u003C 6.0.0 - Algorithm Confusion","In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 \u002F HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. This may or may not be exploitable in WordPress plugins and themes using the library.",null,"\u003C=2.1.0","2.1.1","critical",9.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:N","Access of Resource Using Incompatible Type ('Type Confusion')","2024-01-22 19:56:02",[45],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8aa0fffa-475e-4227-9ab1-17ca6fcce529?source=api-prod",438,{"slug":48,"display_name":7,"profile_url":8,"plugin_count":49,"total_installs":50,"avg_security_score":51,"avg_patch_time_days":46,"trust_score":52,"computed_at":53},"contactjavas",2,6300,88,71,"2026-04-04T09:04:35.753Z",[55,73,97,115,132],{"slug":56,"name":57,"version":58,"author":59,"author_profile":60,"description":61,"short_description":62,"active_installs":27,"downloaded":63,"rating":27,"num_ratings":27,"last_updated":64,"tested_up_to":65,"requires_at_least":17,"requires_php":66,"tags":67,"homepage":70,"download_link":71,"security_score":72,"vuln_count":27,"unpatched_count":27,"last_vuln_date":36,"fetched_at":29},"simple-jwt-auth","Simple JWT Auth","1.0.2","Sayan Dey","https:\u002F\u002Fprofiles.wordpress.org\u002Fsayandey18\u002F","\u003Cp>Extends the WordPress REST API using JSON Web Tokens for robust authentication and authorization.\u003C\u002Fp>\n\u003Cp>JSON Web Token (JWT) is an open standard (\u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa>) that defines a compact and self-contained way for securely transmitting information between two parties.\u003C\u002Fp>\n\u003Cp>It provides a secure and reliable way to access and manage WordPress data from external applications, making it ideal for building headless CMS solutions.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Support & question: \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fsimple-jwt-auth\u002F\" rel=\"ugc\">WordPress support forum\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Reporting plugin’s bug: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub issues tracker\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Plugins GitHub Repo\u003C\u002Fstrong> https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth\u003C\u002Fp>\n\u003Ch3>Enable PHP HTTP Authorization Header\u003C\u002Fh3>\n\u003Cp>HTTP Authorization is a mechanism that allows clients to provide credentials to servers, thereby gaining access to protected resources. This is typically achieved by sending a special header, the Authorization header, in the HTTP request.\u003C\u002Fp>\n\u003Ch4>Shared Hosts\u003C\u002Fh4>\n\u003Cp>Most shared hosts have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPEngine\u003C\u002Fh4>\n\u003Cp>To enable this option you’ll need to edit your .htaccess file adding the follow:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Cp>Simple JWT Auth plugin needs a \u003Cstrong>Signing Key\u003C\u002Fstrong> to encrypt and decrypt the \u003Cstrong>secret key\u003C\u002Fstrong>, \u003Cstrong>private key\u003C\u002Fstrong>, and \u003Cstrong>public key\u003C\u002Fstrong>. This signing key must be exact 32 charecter long and never be revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>signing key\u003C\u002Fstrong> edit your \u003Ccode>wp-config.php\u003C\u002Fcode> file and add a new constant called \u003Cstrong>SIMPLE_JWT_AUTH_ENCRYPT_KEY\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'SIMPLE_JWT_AUTH_ENCRYPT_KEY', 'your-32-char-signing-key' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Generate a 32 charecter key from here: \u003Ca href=\"https:\u002F\u002Fstring-gen.netlify.app\" rel=\"nofollow ugc\">https:\u002F\u002Fstring-gen.netlify.app\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Here is the sample response if the encryption key is not configured in wp-config.php file.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_bad_encryption_key\",\n \"message\": \"Encryption key is not configured properly.\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fauth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>*\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken | POST\n*\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken\u002Fvalidate | POST\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Requesting\u002FGenerating Token\u003C\u002Fh3>\n\u003Cp>To generate a new token, submit a POST request to this endpoint. With \u003Ccode>username\u003C\u002Fcode> and \u003Ccode>password\u003C\u002Fcode> as the parameters.\u003C\u002Fp>\n\u003Cp>It will validates the user credentials, and returns success response including a token if the authentication is correct or returns an error response if the authentication is failed.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken' \\\n--header 'Content-Type: application\u002Fjson' \\\n--data-raw '{\n \"username\": \"wordpress_username\",\n \"password\": \"wordpress_password\"\n}'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of success response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_auth_credential\",\n \"message\": \"Token created successfully\",\n \"data\": {\n \"status\": 200,\n \"id\": \"2\",\n \"email\": \"sayandey@outlook.com\",\n \"nicename\": \"sayan_dey\",\n \"display_name\": \"Sayan Dey\",\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciO.........\"\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of error response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_username\",\n \"message\": \"Error: The username admin_user is not registered on this site. If you are unsure of your username, try your email address instead.\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you can store it somewhere in your application:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>using \u003Cstrong>Cookie\u003C\u002Fstrong> \u003C\u002Fli>\n\u003Cli>or using \u003Cstrong>localstorage\u003C\u002Fstrong> \u003C\u002Fli>\n\u003Cli>or using a wrapper like \u003Ca href=\"https:\u002F\u002Flocalforage.github.io\u002FlocalForage\u002F\" rel=\"nofollow ugc\">localForage\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fpouchdb.com\u002F\" rel=\"nofollow ugc\">PouchDB\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>or using local database like SQLite\u003C\u002Fli>\n\u003Cli>or your choice based on app you develop\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Then you should pass this token as \u003Cem>Bearer Authentication\u003C\u002Fem> header to every API call.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Authorization: Bearer your-generated-token\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Here is an example to create WordPress post using JWT token authentication.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts' \\\n--header 'Content-Type: application\u002Fjson' \\\n--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO.........' \\\n--data '{\n \"title\": \"Dummy post through API\",\n \"content\": \"Lorem Ipsum is simply dummy text of the printing and typesetting industry.\",\n \"status\": \"publish\",\n \"tags\": [\n 4,\n 5,\n 6\n ]\n}'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Plugin’s middleware intercepts every request to the server, checking for the presence of the \u003Cstrong>Authorization\u003C\u002Fstrong> header. If the header is found, it attempts to decode the JWT token contained within.\u003C\u002Fp>\n\u003Cp>Upon successful decoding, the middleware extracts the user information stored in the token and authenticates the user accordingly, ensuring that only authorized requests are processed.\u003C\u002Fp>\n\u003Ch3>Validating Token\u003C\u002Fh3>\n\u003Cp>This is a helper endpoint to validate a token. You only will need to make a \u003Cstrong>POST\u003C\u002Fstrong> request sending the Bearer Authorization header.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location --request POST 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken\u002Fvalidate' \\\n--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO.........'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of success response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_valid_token\",\n \"message\": \"Token is valid\",\n \"data\": {\n \"status\": 200\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST Errors\u003C\u002Fh3>\n\u003Cp>If the token is invalid an error will be returned, here are some samples of errors.\u003C\u002Fp>\n\u003Ch4>Invalid Username\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_username\",\n \"message\": \"Error: The username admin is not registered on this site. If you are unsure of your username, try your email address instead.\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Password\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_incorrect_password\",\n \"message\": \"Error: The password you entered for the username tiyasha_das is incorrect. Lost your password?\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Signature\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_token\",\n \"message\": \"Signature verification failed\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_token\",\n \"message\": \"Syntax error, malformed JSON\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Expired Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_token\",\n \"message\": \"Expired token\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>No Authorization\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_no_auth_header\",\n \"message\": \"Authorization header not found\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Authorization\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_bad_auth_header\",\n \"message\": \"Authorization header malformed\",\n \"data\": {\n \"status\": 400\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Wrong Algorithm Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_token\",\n \"message\": \"Incorrect key for this algorithm\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Unsupported Algorithm\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_unsupported_algorithm\",\n \"message\": \"Unsupported algorithm see https:\u002F\u002Ftinyurl.com\u002Fuf4ns6fm\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Configuration\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_bad_config\",\n \"message\": \"JWT is not configured properly, please contact the admin\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Encryption Key\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_bad_encryption_key\",\n \"message\": \"Encryption key is not configured properly.\",\n \"data\": {\n \"status\": 403\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Encryption Key Length\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"code\": \"simplejwt_invalid_enckey_length\",\n \"message\": \"Encryption key must be exactly 32 characters long\",\n \"data\": {\n \"status\": 400\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Available Hooks\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Simple JWT Auth\u003C\u002Fstrong> is a developer-friendly plugin. It has various filter hooks available to override the default settings.\u003C\u002Fp>\n\u003Ch4>simplejwt_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_cors_allow_headers\u003C\u002Fcode> allows you to modify the available headers when the Cross-Origin Resource Sharing (CORS) support is enabled.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the allowed CORS headers.\n *\n * @param string $headers The allowed headers.\n * @return string The allowed headers.\n *\u002F\nadd_filter(\"simplejwt_cors_allow_headers\", function ($headers) {\n \u002F\u002F Modify the headers here.\n return $headers;\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_auth_iss\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_auth_iss\u003C\u002Fcode> allows you to change the \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7519#section-4.1.1\" rel=\"nofollow ugc\">\u003Cstrong>iss\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>get_bloginfo( 'url' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token issuer.\n *\n * @param string $iss The token issuer.\n * @return string The token issuer.\n *\u002F\nadd_filter(\"simplejwt_auth_iss\", function ($iss) {\n \u002F\u002F Modify the \"iss\" here.\n return $iss;\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_not_before\u003C\u002Fcode> allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's nbf value.\n *\n * @param int $not_before The default \"nbf\" value in timestamp.\n * @param int $issued_at The \"iat\" value in timestamp.\n * @return int The \"nbf\" value.\n *\u002F\nadd_filter(\n \"simplejwt_not_before\",\n function ($not_before, $issued_at) {\n \u002F\u002F Modify the \"not_before\" here.\n return $not_before;\n },\n 10,\n 2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_auth_expire\u003C\u002Fcode> allows you to change the value \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + ( DAY_IN_SECONDS * 7 )\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's expire value.\n *\n * @param int $expire The default \"exp\" value in timestamp.\n * @param int $issued_at The \"iat\" value in timestamp.\n * @return int The \"nbf\" value.\n *\u002F\nadd_filter(\n \"simplejwt_auth_expire\",\n function ($expire, $issued_at) {\n \u002F\u002F Modify the \"expire\" here.\n return $expire;\n },\n 10,\n 2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_payload_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_payload_before_sign\u003C\u002Fcode> allows you to modify all the payload data before being encoded and signed.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$payload = [\n \"iss\" => $this->simplejwt_get_iss(),\n \"iat\" => $issued_at,\n \"nbf\" => $not_before,\n \"exp\" => $expire,\n \"data\" => [\n \"user\" => [\n \"id\" => $user->data->ID,\n ],\n ],\n];\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the payload data before being encoded & signed.\n *\n * @param array $payload The default payload\n * @param WP_User $user The authenticated user.\n * @return array The payloads data.\n *\u002F\nadd_filter(\n \"simplejwt_payload_before_sign\",\n function ($payload, $user) {\n \u002F\u002F Modify the payload here.\n return $payload;\n },\n 10,\n 2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_token_before_dispatch\u003C\u002Fcode> allows you to modify the token response before to dispatch it to the client.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = new WP_REST_Response(\n [\n \"code\" => \"simplejwt_auth_credential\",\n \"message\" => JWTNotice::get_notice(\"auth_credential\"),\n \"data\" => [\n \"status\" => 200,\n \"id\" => $user->data->ID,\n \"email\" => $user->data->user_email,\n \"nicename\" => $user->data->user_nicename,\n \"display_name\" => $user->data->display_name,\n \"token\" => $token,\n ],\n ],\n 200,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the JWT response before dispatch.\n *\n * @param WP_REST_Response $data The token response data.\n * @param WP_User $user The user object for whom the token is being generated.\n * @return WP_REST_Response Modified token response data.\n *\u002F\nadd_filter(\n \"simplejwt_token_before_dispatch\",\n function ($data, $user) {\n \u002F\u002F Modify the response data.\n if ($user instanceof WP_User) {\n }\n return $data;\n },\n 10,\n 2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002F\" rel=\"nofollow ugc\">WordPress REST API\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffirebase\u002Fphp-jwt\" rel=\"nofollow ugc\">php-jwt by Firebase\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens for robust authentication, providing a secure and reliable way to access and manage WordPress data.",750,"2024-11-17T13:30:00.000Z","6.7.5","7.4",[68,20,21,4,69],"authentication","rest-api","https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-auth.1.0.2.zip",92,{"slug":74,"name":75,"version":76,"author":77,"author_profile":78,"description":79,"short_description":80,"active_installs":81,"downloaded":82,"rating":51,"num_ratings":83,"last_updated":84,"tested_up_to":85,"requires_at_least":86,"requires_php":87,"tags":88,"homepage":93,"download_link":94,"security_score":95,"vuln_count":49,"unpatched_count":27,"last_vuln_date":96,"fetched_at":29},"wp-rest-api-authentication","JWT Authentication for WP REST APIs","4.3.0","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cp>\u003Cstrong>WordPress REST API endpoints\u003C\u002Fstrong> are \u003Cstrong>open and unsecured by default\u003C\u002Fstrong> which can be used to access your site data. Secure WordPress APIs from unauthorized users with our \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication\" rel=\"nofollow ugc\">JWT Authentication for WP REST APIs plugin\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Our plugin offers below authentication methods to \u003Cstrong>Protect WP REST API endpoints\u003C\u002Fstrong>:\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– External Token based Authentication 2.0\u002FOIDC\u002FJWT\u002F\u003Ca href=\"https:\u002F\u002Ffirebase.google.com\u002Fdocs\u002Fauth\u002Fadmin\u002Fcreate-custom-tokens\" rel=\"nofollow ugc\">Firebase\u003C\u002Fa> provider’s token authentication methods.\u003C\u002Fp>\n\u003Cp>You can authenticate default WordPress endpoints and custom-developed REST endpoints and third-party plugin REST API endpoints like that of \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwoocommerce\u002F\" rel=\"ugc\">Woocommerce\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.learndash.com\u002F\" rel=\"nofollow ugc\">Learndash\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbuddypress\u002F\" rel=\"ugc\">Buddypress\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.gravityforms.com\u002F\" rel=\"nofollow ugc\">Gravity Forms\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcart-rest-api-for-woocommerce\u002F\" rel=\"ugc\">CoCart\u003C\u002Fa>, etc.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FIsyKI7eEV-I?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&start=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch3>WP REST API Authentication Methods in our plugin\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method#step_a1\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\nProvides an endpoint where you can pass the user credentials, and it will generate a JWT (JSON Web Token), which you can use to access the WordPress REST APIs accordingly.\u003Cbr \u002F>\nAdditionally, to maintain a seamless user experience without frequent logins needed due to token expiry, you can use our \u003Cem>Refresh and Revoke token\u003C\u002Fem> mechanisms feature.\u003Cbr \u002F>\nWhen the access token expires, instead of forcing the user to log in again, the client can request a new access token using a valid refresh token.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method#step_a\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>:\u003Cbr \u002F>\n – 1. \u003Cstrong>Username: Password\u003C\u002Fstrong>\u003Cbr \u002F>\n – 2. \u003Cstrong>Client-ID: Client-Secret\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method#step_a\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n – 1. \u003Cstrong>Password Grant\u003C\u002Fstrong>\u003Cbr \u002F>\n – 2. \u003Cstrong>Client Credentials Grant\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication-using-third-party-provider#step_a\" rel=\"nofollow ugc\">Third Party Provider Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Following are some of the integrations that are possible with WP REST API Authentication:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Learndash API Authentication\u003C\u002Fli>\n\u003Cli>Custom Built REST API Endpoints Authentication\u003C\u002Fli>\n\u003Cli>BuddyPress API Authentication\u003C\u002Fli>\n\u003Cli>WooCommerce API Authentication\u003C\u002Fli>\n\u003Cli>Gravity Form API Authentication\u003C\u002Fli>\n\u003Cli>External\u002FThird-party plugin API endpoints integration in WordPress\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can also disable the WP REST APIs with our plugin such that no one can make API calls to your WordPress REST API endpoints.Our plugin also provides \u003Cstrong>Refresh and Revoke Token\u003C\u002Fstrong> that can be used to improve the API security.\u003C\u002Fp>\n\u003Ch3>Benefits of Refresh Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Enhances security by keeping access tokens short-lived.\u003C\u002Fli>\n\u003Cli>Improves user experience with uninterrupted sessions.\u003C\u002Fli>\n\u003Cli>Reduces login frequency.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Benefits of Revoke Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Protects against token misuse if a device is lost or compromised.\u003C\u002Fli>\n\u003Cli>Enables admin-triggered logouts or session control.\u003C\u002Fli>\n\u003Cli>Useful for complying with stricter session policies.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>With this plugin, the user is allowed to access your site’s resources only after successful WP REST API authentication. JWT Authentication for WP REST APIs plugin will make your \u003Cstrong>WordPress endpoints secure from unauthorized access.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Plugin Feature List\u003C\u002Fh3>\n\u003Ch3>FREE PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate only default core WordPress REST API endpoints.\u003C\u002Fli>\n\u003Cli>Basic Authentication with username and password.\u003C\u002Fli>\n\u003Cli>JWT Authentication (JSON Web Token Authentication).\u003C\u002Fli>\n\u003Cli>Enable Selective API protection.\u003C\u002Fli>\n\u003Cli>Restrict non-logged-in users to access REST API endpoints.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>PREMIUM PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate all REST API endpoints (Default WP, Custom APIs,Third-Party plugins)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>JWT Token Authentication\u003C\u002Fstrong> (JSON Web Token Authentication)\u003C\u002Fli>\n\u003Cli>Login, Refresh and Revoke token endpoints for token management\u003C\u002Fli>\n\u003Cli>API Key Authentication\u003C\u002Fli>\n\u003Cli>Basic Authentication (username\u002Fpassword and email\u002Fpassword)\u003C\u002Fli>\n\u003Cli>OAuth 2.0 Authentication\u003C\u002Fli>\n\u003Cli>Universal API key and User-specific API key for authentication\u003C\u002Fli>\n\u003Cli>Selective API protection.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003Cli>Time-based token expiry\u003C\u002Fli>\n\u003Cli>Role-based WP REST API authentication\u003C\u002Fli>\n\u003Cli>Custom Header support rather than just \u003Cem>Authorization\u003C\u002Fem> to increase security.\u003C\u002Fli>\n\u003Cli>Create users in WordPress based on third-party provider access tokens (JWT tokens) authentication.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin does not store any user data.\u003C\u002Fp>\n","Secure and protect WordPress REST API from unauthorized access using JWT token, Basic Authentication, API Key, OAuth 2, or external token.",20000,490496,73,"2026-02-09T05:11:00.000Z","6.9.4","3.0.1","5.6",[89,90,91,69,92],"api-key","jwt-authentication","rest","secure-api","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-rest-api-authentication","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rest-api-authentication.4.3.0.zip",97,"2025-04-16 00:00:00",{"slug":98,"name":99,"version":100,"author":77,"author_profile":78,"description":101,"short_description":102,"active_installs":103,"downloaded":104,"rating":13,"num_ratings":105,"last_updated":106,"tested_up_to":85,"requires_at_least":86,"requires_php":87,"tags":107,"homepage":111,"download_link":112,"security_score":113,"vuln_count":26,"unpatched_count":27,"last_vuln_date":114,"fetched_at":29},"login-register-using-jwt","WP Login and Register using JWT","3.2.0","\u003Cp>The \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-login-using-jwt-single-sign-on-sso\" rel=\"nofollow ugc\">WordPress Login and Register using JWT plugin\u003C\u002Fa>\u003C\u002Fstrong> allows you to \u003Cstrong>log in (Single Sign-On)\u003C\u002Fstrong> into your WordPress application using the \u003Cstrong>JWT token(JSON Web token)\u003C\u002Fstrong> obtained from any other WordPress site or other applications\u002Fplatforms including mobile applications. This helps users perform \u003Cstrong>autologin to WordPress\u003C\u002Fstrong> and \u003Cstrong>synchronize user sessions\u003C\u002Fstrong> without the need to log in again.\u003C\u002Fp>\n\u003Cp>|\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-login-using-jwt-single-sign-on-sso\" rel=\"nofollow ugc\"> Features \u003C\u002Fa>| \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-single-sign-on-using-jwt-token\" rel=\"nofollow ugc\"> WordPress JWT Login Setup Guide \u003C\u002Fa>|\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\u002Fplaylist?list=PL2vweZ-PcNpevdcrVhs_dQ3qOxc0102wI\" rel=\"nofollow ugc\"> Videos \u003C\u002Fa>|\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WORDPRESS SINGLE SIGN-ON \u002F SSO ( LOGIN INTO WORDPRESS )\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cstrong>WordPress Single Sign-On SSO\u003C\u002Fstrong> also simply called \u003Cstrong>WordPress SSO\u003C\u002Fstrong> allows you to login into WordPress using the credentials of other platforms. So, the user will just use a single set of credentials to log in to multiple applications.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WordPress Single Sign-On \u002F SSO using JWT(JSON Web Token)\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cstrong>WordPress Single Sign-On (SSO) with JWT\u003C\u002Fstrong> allows you to log into the WordPress site using the user-based JWT token obtained externally when the user authenticates for the first time in any connected external application.\u003Cbr \u002F>\nThe JWT token authentication is the most popular way of authentication nowadays as it is a secure and lightweight protocol. The JWT token can be obtained either when a user logs into other platforms via \u003Cstrong>\u003Ca href=\"https:\u002F\u002Foauth.net\u002F\" rel=\"nofollow ugc\">OAuth\u003C\u002Fa>\u002F\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fconnect\u002F\" rel=\"nofollow ugc\">OpenID Connect\u003C\u002Fa>\u003C\u002Fstrong> protocol or can be created explicitly using the user information and secure algorithms.\u003Cbr \u002F>\nWith this plugin, you can easily use the user-based JWT token to log a user in rather than asking them to authenticate again.\u003C\u002Fp>\n\u003Cp>\u003Cem>Let’s take an example\u003C\u002Fem> – If you have a WordPress site and mobile app, now if you are logged into the mobile app, now if you try to access the WordPress site, then to access the particular content, the WordPress site will ask for login again and which is not feasible, so with the JWT SSO (JWT Single Sign-On), you can create the JWT token for the user who is already logged into the mobile app and then on accessing the WordPress site, you can pass that JWT token in the request, using which the same user can authenticate and autologin to the WordPress site and hence won’t need to enter the credentials again.\u003C\u002Fp>\n\u003Cp>It supports possibly all kinds of \u003Cstrong>JWT tokens (access-token\u002Fid-token)\u003C\u002Fstrong> obtained from \u003Cstrong>OAuth\u002FOpenID Connect\u003C\u002Fstrong> providers like \u003Cstrong>AWS Cognito\u003C\u002Fstrong>, \u003Cstrong>Microsoft Azure AD\u003C\u002Fstrong>, \u003Cstrong>Azure B2C\u003C\u002Fstrong>, \u003Cstrong>Okta\u003C\u002Fstrong>, \u003Cstrong>Keycloak\u003C\u002Fstrong>, \u003Cstrong>ADFS\u003C\u002Fstrong>, \u003Cstrong>Google\u003C\u002Fstrong>, \u003Cstrong>Facebook\u003C\u002Fstrong>, \u003Cstrong>Apple\u003C\u002Fstrong>, \u003Cstrong>Discord\u003C\u002Fstrong> and popular applications like \u003Cstrong>Firebase\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>WordPress login using the JWT also called \u003Cstrong>JWT SSO (Single Sign-On)\u003C\u002Fstrong> can be done from other platforms and applications including mobile apps (android or IOS), an app built with other programming languages like \u003Cstrong>.NET\u003C\u002Fstrong>, \u003Cstrong>JAVA\u003C\u002Fstrong>, \u003Cstrong>PHP\u003C\u002Fstrong>, \u003Cstrong>JS\u003C\u002Fstrong> etc.\u003C\u002Fp>\n\u003Ch3>Major functionalities\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>WordPress Login Endpoint to create user-based JWT token\u003C\u002Fstrong>\u003Cbr \u002F>\nPlugin provides the following API endpoint, which can be used to authenticate WordPress users and returns a user-based JWT which can be used to create login sessions in WordPress and other external applications.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fapi\u002Fv1\u002Fmo-jwt\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>WordPress Login using JWT\u003C\u002Fstrong>\u003Cbr \u002F>\nThis feature provides a way to auto-login users in WordPress using JWT obtained in a very secure way either via passing JWT token in the URL as a parameter, in the request header or shared via secured cookies.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WordPress user register API endpoint to create users in WordPress using API\u003C\u002Fstrong>\u003Cbr \u002F>\nThis feature provides the following API endpoint to create users in WordPress in an easy way and on successful user registration, you will receive a JWT token in the response which can be used further for user login and WordPress REST API authorization.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>wp-json\u002Fapi\u002Fv1\u002Fmo-jwt-register\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Delete\u002FRemove users from WordPress using the user-based JWT token (JSON Web Token)\u003C\u002Fstrong>\u003Cbr \u002F>\nThis feature provides an API endpoint using which you can pass the JWT token and can easily delete the user and revoke access.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>wp-json\u002Fapi\u002Fv1\u002Fmo-jwt-delete\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>More details for the plugin setup can be checked from \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-single-sign-on-using-jwt-token\" rel=\"nofollow ugc\">here\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch3>USE CASES\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Login to External applications using WordPress credentials\u003C\u002Fstrong>\u003Cbr \u002F>\nIf you are looking to authenticate your WordPress users to log in to external applications, then our plugin provides a login API endpoint using which you can easily authenticate WordPress users and can log in the users to those applications.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Single Sign-On Users using the JWT token provided by OAuth\u002FOpenID providers\u003C\u002Fstrong>\u003Cbr \u002F>\nThis WordPress login and register using the JWT plugin supports the WordPress Single Sign On (WordPress SSO) or WordPress login using the user-based JWT token (id-token\u002Faccess-token) provided by the external OAuth\u002FOpenID Connect providers (like Microsoft Azure AD, Azure B2C, AWS Cognito, Keycloak, Okta, ADFS, Google, Facebook, Apple, Discord and many more..) on login in some other sites\u002Fapplications using their credentials.\u003Cbr \u002F>\nSo, the user just needs to log in once on any other sites\u002Fplatforms and a JWT token will be provided by these providers for those users will then be used further with security to autologin in other platforms.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FRR0o80hGvfU?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Automatic WordPress login and site access from mobile app web view | Synchronize WordPress session in the mobile app web view\u003C\u002Fstrong>\u003Cbr \u002F>\nSuppose you have a mobile application and want to allow users to access their WordPress site content in the mobile app web view which requires a login so asking the users to enter the credentials again won’t be a good user experience. So, our JWT login plugin provides a solution to you in which the user session from the mobile app can be synchronized with the WordPress site and the user can seamlessly access the WordPress site using the user-based JWT token without the need for a WordPress login again.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002F0QPIjelCWvk?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Automatic session synchronization between WordPress and other applications built on React, Node, Next JS, Flutter, Angular, Java, PHP, and C# ….\u003C\u002Fstrong>\u003Cbr \u002F>\nSuppose you have a WordPress site connected to any external application built on any framework, then if you want a feature that if a user is logged in to any one application, should be automatically logged in to another as well. This can be easily achieved using the secure JWT.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FOMH_FY-xh8Q?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Session sharing between WordPress and other applications sharing the same subdomain (hosted on the same domain)\u003C\u002Fstrong>\u003Cbr \u002F>\nSuppose you have a WordPress site and other applications hosted on the same subdomain, such that if the user logs in to any one application, then can be auto-logged into other connected applications on that domain using secure cookie-based JWT token sharing.\u003Cbr \u002F>\nan pass the new user details like username, email, name and password(optional), role etc. in the request body and on successful response, your user will get created and the corresponding user-based JWT will be received and the appropriate error response will be returned on the failure.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FLr9spH2PPeY?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent&listType=playlist&list=PL2vweZ-PcNpevdcrVhs_dQ3qOxc0102wI\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Sync user login sessions between multiple platforms (Session sharing)\u003C\u002Fstrong>\u003Cbr \u002F>\nIf you have a WordPress site and other applications sharing the same subdomain and you want the feature in which if a user logged into one site (WordPress or another) and on accessing the other site in the same browser, then that user should get logged in automatically (user session to be synchronized). So, this feature is possible to have with our plugin’s JWT cookie-based session-sharing feature.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cp>FREE PLAN\u003C\u002Fp>\n\u003Cp>\u003Cem>Create JWT feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Login API endpoint\u003C\u002Fstrong> to authenticate WordPress users based on username\u002Femail and password\u003C\u002Fli>\n\u003Cli>Supports the JWT token generation using the \u003Cstrong>HS256 signing algorithm\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>JWT token signing with randomly generated secret signing key.\u003C\u002Fli>\n\u003Cli>Default JWT \u003Cstrong>token expiration\u003C\u002Fstrong> is 60 minutes.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Registration feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user registration with the default subscriber role.\u003C\u002Fli>\n\u003Cli>Provide a user-based JWT token in the success response.\u003C\u002Fli>\n\u003Cli>No Extra Security key for user registration API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Deletion feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user deletion with JWT token validation using the HS256 signing algorithm.\u003C\u002Fli>\n\u003Cli>No Extra Security key for user deletion API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User login feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Allows WordPress login (SSO) using a user-based JWT token with HS256 signing created using the plugin’s Create JWT feature.\u003C\u002Fli>\n\u003Cli>Retrieve the JWT token from the URL parameter to allow auto-login.\u003C\u002Fli>\n\u003Cli>Auto redirection on login to the homepage or on the same page\u002FURL from where the autologin is initiated.\u003C\u002Fli>\n\u003Cli>Default Subscriber role is assigned on login using JWT.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>PREMIUM PLAN\u003C\u002Fp>\n\u003Cp>\u003Cem>Create JWT feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Supports JWT token generation using \u003Cstrong>HS256\u003C\u002Fstrong> and a securer \u003Cstrong>RS256 signing algorithm\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>JWT token signing with a \u003Cstrong>custom secret signing key or certificate\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>Custom token expiration to expire the token as per your requirement to improvise security.\u003C\u002Fli>\n\u003Cli>Custom JWT token decryption key.\u003C\u002Fli>\n\u003Cli>Revoke and invalidate existing user JWT token whenever a new JWT token is generated for a user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Registration feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user registration with a custom role.\u003C\u002Fli>\n\u003Cli>Provide a user-based JWT token in the success response.\u003C\u002Fli>\n\u003Cli>Extra Security key for user registration API endpoint.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Deletion feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user deletion with JWT token validation using the HS256 signing algorithm.\u003C\u002Fli>\n\u003Cli>Extra Security key for user deletion API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User login feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Allows WordPress login (SSO) using a user-based JWT with HS256 signing created either using plugins create JWT feature or a JWT token obtained from an external source.\u003C\u002Fli>\n\u003Cli>Allows WordPress login using a user-based JWT with RS256 signing validation.\u003C\u002Fli>\n\u003Cli>Allows WordPress login using a user-based JWT with \u003Cstrong>JWKS token validation\u003C\u002Fstrong> support.\u003C\u002Fli>\n\u003Cli>Allows WordPress login using a user-based JWT obtained from an external \u003Cstrong>OAuth\u002FOpenID Connect\u003C\u002Fstrong> provider.\u003C\u002Fli>\n\u003Cli>Retrieve the JWT token from the \u003Cstrong>URL parameter\u003C\u002Fstrong>, \u003Cstrong>request header\u003C\u002Fstrong> and \u003Cstrong>cookie\u003C\u002Fstrong> to allow auto-login between platforms.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto redirection\u003C\u002Fstrong> on login to the homepage or on the same page\u002FURL from where the autologin is initiated.\u003C\u002Fli>\n\u003Cli>Auto redirection on login to any custom URL.\u003C\u002Fli>\n\u003Cli>User \u003Cstrong>Attribute\u002FProfile\u003C\u002Fstrong> mapping on SSO login.\u003C\u002Fli>\n\u003Cli>Option to assign any WordPress role rather than default subscriber on SSO login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Automatic role and group Mapping\u003C\u002Fstrong> to the user who performs SSO using a JWT token.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>SSO Login Audit feature\u003C\u002Fstrong> to track the users who perform login using the JWT token.\u003C\u002Fli>\n\u003Cli>Add-On to \u003Cstrong>share the user session to other applications\u003C\u002Fstrong> using the JWT token stored in the cookie\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Other Related Integrations\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fminiorange-login-with-eve-online-google-facebook\u002F\" rel=\"ugc\">OAuth Single Sign On – SSO (OAuth Client)\u003C\u002Fa>\u003C\u002Fstrong> – This plugin allows Single Sign On – SSO login in your WordPress site using external OAuth 2.0, OpenID Connect Providers\u003C\u002Fp>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fminiorange-api-20-single-sign-on\u002F\" rel=\"ugc\">api Single Sign On – SSO Login\u003C\u002Fa>\u003C\u002Fstrong> – This plugin allows Single Sign On – SSO login in your WordPress site using external api, WS-FED Providers\u003C\u002Fp>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-rest-api-authentication\u002F\" rel=\"ugc\">WordPress REST API Authentication\u003C\u002Fa>\u003C\u002Fstrong> – This plugin protects your WordPress REST API endpoints from unauthorized access using secure \u003Cstrong>OAuth 2.0\u003C\u002Fstrong>, \u003Cstrong>JWT authentication\u003C\u002Fstrong>, \u003Cstrong>Basic authentication\u003C\u002Fstrong>, \u003Cstrong>Bearer API Key token\u003C\u002Fstrong> and even more.\u003C\u002Fp>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin does not store any user data. This plugin uses login.xecurify.com for registration as miniOrange uses login.xecurify.com if the user chooses to register and upgrade to premium. If the user does not want to register then he can continue using the free plugin. (Link to the privacy policy – https:\u002F\u002Fwww.miniorange.com\u002Fprivacy-policy.pdf )\u003C\u002Fp>\n","WordPress login (WordPress Single Sign-On) using JWT token obtained from other WordPress sites or any other application. Synchronize user sessions bet …",200,8236,5,"2025-12-11T10:14:00.000Z",[108,20,21,109,110],"api","login","single-sign-on","http:\u002F\u002Fminiorange.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-register-using-jwt.3.2.0.zip",99,"2025-11-18 17:17:49",{"slug":116,"name":117,"version":118,"author":119,"author_profile":120,"description":121,"short_description":122,"active_installs":123,"downloaded":124,"rating":13,"num_ratings":26,"last_updated":125,"tested_up_to":85,"requires_at_least":87,"requires_php":126,"tags":127,"homepage":129,"download_link":130,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":36,"fetched_at":131},"wp-simple-rest-api-authentication","Simple REST API Authenticaton with WooCommerce Credentials","1.0.8","oneteamsoftware","https:\u002F\u002Fprofiles.wordpress.org\u002Foneteamsoftware\u002F","\u003Cp>Introducing our \u003Cstrong>Simple REST API Authentication\u003C\u002Fstrong> plugin for WordPress – the ultimate solution for seamless integration between your website and external applications.\u003C\u002Fp>\n\u003Cp>This plugin lets you use Basic Authentication for WordPress REST API and other custom-developed endpoints as well as third-party plugin REST API endpoints with \u003Cstrong>WooCommerce REST API credentials\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>With Simple REST API Authentication plugin, you won’t have to use different credentials or expose your user name and password to upload media to WordPress and then use it for WooCommerce products.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Seamless integration with WooCommerce REST API credentials for WordPress REST API\u003C\u002Fli>\n\u003Cli>Debugging capabilities for troubleshooting\u003C\u002Fli>\n\u003Cli>Flexibility to enable or disable the SSL requirement for added security.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The WordPress REST API is a powerful tool that makes CRUD (Create, Read, Update & Delete) operations available from anywhere, instead of being limited to the admin dashboard.\u003C\u002Fp>\n\u003Cp>It provides a lightweight form of communication between the client and the server, making it a great solution for exchanging data.\u003C\u002Fp>\n\u003Cp>This plugin can be used to create iOS\u002FAndroid, etc native apps, and we can use any language we want as long as the language can make HTTP requests and interpret JSON such as Node.js, Express.js, Ruby, Python etc.\u003C\u002Fp>\n\u003Cp>The possibilities are endless with this plugin, and it can be used in hundreds of various scenarios to make your website more accessible, efficient and user-friendly.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Upgrade your website to the next level with our Simple REST API Authentication plugin today!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>These are only a few examples of possible use cases and they are only limited by your imagination and requirement.\u003Cbr \u002F>\nIn case it is not enough, then feel free to \u003Ca href=\"https:\u002F\u002F1teamsoftware.com\u002Fcontact-us\u002F\" rel=\"nofollow ugc\">Contact Us\u003C\u002Fa> and we will find a way to meet your requirements.\u003C\u002Fp>\n\u003Ch3>PREMIUM PLUGINS\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002F1teamsoftware.com\u002Fproduct\u002Fwoocommerce-free-shipping-per-package-pro\u002F\" rel=\"nofollow ugc\">Free Shipping Per Package PRO\u003C\u002Fa> – Free Shipping based on advanced conditions.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002F1teamsoftware.com\u002Fproduct\u002Fwoocommerce-chitchats-shipping\u002F\" rel=\"nofollow ugc\">ChitChats Shipping\u003C\u002Fa> – Ship your packages from Canada via USA as if you were physically there.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002F1teamsoftware.com\u002Fproduct\u002Fwoocommerce-marketplace-cart\u002F\" rel=\"nofollow ugc\">Marketplace Cart\u003C\u002Fa> – Offer Amazon like cart\u002Fcheckout experience for your customers.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002F1teamsoftware.com\u002Fproduct\u002Fwoocommerce-package-orders\u002F\" rel=\"nofollow ugc\">Package Orders\u003C\u002Fa> – Automatically create separate orders for items shipped from different locations.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002F1teamsoftware.com\u002Fproduct\u002Fwoocommerce-product-categories-menu\u002F\" rel=\"nofollow ugc\">Product Categories Menu\u003C\u002Fa> – Automatically add entire structure of product categories to any menu.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002F1teamsoftware.com\u002Fproduct\u002Fwoocommerce-sticky-product-bar-pro\u002F\" rel=\"nofollow ugc\">Sticky Product Bar PRO\u003C\u002Fa> – Adds a number of amazing features to a a highly configurable sticky product bar.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>FREE PLUGINS\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002F1teamsoftware.com\u002Fproduct\u002Fwoocommerce-shipping-packages\u002F\" rel=\"nofollow ugc\">Shipping Packages\u003C\u002Fa> – Split your cart into packages that can be shipped with different shipping methods.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002F1teamsoftware.com\u002Fproduct\u002Fwoocommerce-sticky-product-bar\u002F\" rel=\"nofollow ugc\">Sticky Product Bar\u003C\u002Fa> – Display sticky bar with product details, rating and add to cart button.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002F1teamsoftware.com\u002Fproduct\u002Fwoocommerce-shipping-packages\u002F\" rel=\"nofollow ugc\">Shipping Packages\u003C\u002Fa> – Split your cart into packages that can be shipped with different shipping methods.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002F1teamsoftware.com\u002Fproduct\u002Fwoocommerce-shipping-discount\u002F\" rel=\"nofollow ugc\">Shipping Discount\u003C\u002Fa> – Configurable shipping discount rules based on the amount spent for the items with a given shipping class.\u003C\u002Fli>\n\u003C\u002Ful>\n","Simple REST API Authentication plugin for WordPress - a powerful solution for integrating your website with external applications.",50,2241,"","7.3",[108,128,21,4,69],"basic-auth","https:\u002F\u002F1teamsoftware.com\u002Fproduct\u002Fwordpress-simple-rest-api-authentication\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-simple-rest-api-authentication.zip","2026-03-15T10:48:56.248Z",{"slug":133,"name":134,"version":135,"author":136,"author_profile":137,"description":138,"short_description":139,"active_installs":140,"downloaded":141,"rating":51,"num_ratings":142,"last_updated":143,"tested_up_to":85,"requires_at_least":144,"requires_php":145,"tags":146,"homepage":150,"download_link":151,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":36,"fetched_at":29},"jwt-authentication-for-wp-rest-api","JWT Authentication for WP REST API","1.5.0","tmeister","https:\u002F\u002Fprofiles.wordpress.org\u002Ftmeister\u002F","\u003Cp>This plugin seamlessly extends the WP REST API, enabling robust and secure authentication using JSON Web Tokens (JWT). It provides a straightforward way to authenticate users via the REST API, returning a standard JWT upon successful login.\u003C\u002Fp>\n\u003Ch3>Key features of this free version include:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication:\u003C\u002Fstrong> Implements the industry-standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa> for secure claims representation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple Endpoints:\u003C\u002Fstrong> Offers clear \u003Ccode>\u002Ftoken\u003C\u002Fcode> and \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode> endpoints for generating and validating tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Secret Key:\u003C\u002Fstrong> Define your unique secret key via \u003Ccode>wp-config.php\u003C\u002Fcode> for secure token signing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optional CORS Support:\u003C\u002Fstrong> Easily enable Cross-Origin Resource Sharing support via a \u003Ccode>wp-config.php\u003C\u002Fcode> constant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Hooks:\u003C\u002Fstrong> Provides filters (\u003Ccode>jwt_auth_expire\u003C\u002Fcode>, \u003Ccode>jwt_auth_token_before_sign\u003C\u002Fcode>, etc.) for customizing token behavior.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.\u003C\u002Fp>\n\u003Cp>For users requiring more advanced capabilities such as multiple signing algorithms (RS256, ES256), token refresh\u002Frevocation, UI-based configuration, or priority support, consider checking out \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_link_soft\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Support and Requests:\u003C\u002Fstrong> Please use \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub Issues\u003C\u002Fa>. For priority support, consider upgrading to \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_support_link\" rel=\"nofollow ugc\">PRO\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>REQUIREMENTS\u003C\u002Fh3>\n\u003Ch4>WP REST API V2\u003C\u002Fh4>\n\u003Cp>This plugin was conceived to extend the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API V2\u003C\u002Fa> plugin features and, of course, was built on top of it.\u003C\u002Fp>\n\u003Cp>So, to use the \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> you need to install and activate \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>PHP\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Minimum PHP version: 7.4.0\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>PHP HTTP Authorization Header Enable\u003C\u002Fh3>\n\u003Cp>Most shared hosting providers have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPENGINE\u003C\u002Fh4>\n\u003Cp>For WPEngine hosting, you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>See https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1 for more details.\u003C\u002Fp>\n\u003Ch3>CONFIGURATION\u003C\u002Fh3>\n\u003Ch3>Configure the Secret Key\u003C\u002Fh3>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a secure key from: https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Looking for easier configuration?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=config_secret_key_link\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to manage all settings through a simple admin UI.\u003C\u002Fp>\n\u003Ch3>Configure CORS Support\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORS\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable CORS Support, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Finally, activate the plugin within your wp-admin.\u003C\u002Fp>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace:\u003C\u002Fp>\n\u003Cp>Endpoint | HTTP Verb\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fem> | POST\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need more functionality?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=endpoints_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> includes additional endpoints for token refresh and revocation.\u003C\u002Fp>\n\u003Ch3>USAGE\u003C\u002Fh3>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fh4>\n\u003Cp>This is the entry point for JWT Authentication.\u003C\u002Fp>\n\u003Cp>It validates the user credentials, \u003Cem>username\u003C\u002Fem> and \u003Cem>password\u003C\u002Fem>, and returns a token to use in future requests to the API if the authentication is correct, or an error if authentication fails.\u003C\u002Fp>\n\u003Cp>Sample Request Using AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>(function() {\n var app = angular.module('jwtAuth', []);\n\n app.controller('MainController', function($scope, $http) {\n var apiHost = 'http:\u002F\u002Fyourdomain.com\u002Fwp-json';\n\n $http.post(apiHost + '\u002Fjwt-auth\u002Fv1\u002Ftoken', {\n username: 'admin',\n password: 'password'\n })\n .then(function(response) {\n console.log(response.data)\n })\n .catch(function(error) {\n console.error('Error', error.data[0]);\n });\n });\n})();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Success Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9qd3QuZGV2IiwiaWF0IjoxNDM4NTcxMDUwLCJuYmYiOjE0Mzg1NzEwNTAsImV4cCI6MTQzOTE3NTg1MCwiZGF0YSI6eyJ1c2VyIjp7ImlkIjoiMSJ9fX0.YNe6AyWW4B7ZwfFE5wJ0O6qQ8QFcYizimDmBy6hCH_8\",\n \"user_display_name\": \"admin\",\n \"user_email\": \"admin@localhost.dev\",\n \"user_nicename\": \"admin\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Error Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"code\": \"jwt_auth_failed\",\n \"data\": {\n \"status\": 403\n },\n \"message\": \"Invalid Credentials.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application, e.g., in a \u003Cstrong>cookie\u003C\u002Fstrong> or using \u003Cstrong>localStorage\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>From this point, you should pass this token with every API call.\u003C\u002Fp>\n\u003Cp>Sample Call Using The Authorization Header With AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>app.config(function($httpProvider) {\n $httpProvider.interceptors.push(['$q', '$location', '$cookies', function($q, $location, $cookies) {\n return {\n 'request': function(config) {\n config.headers = config.headers || {};\n \u002F\u002F Assume that you store the token in a cookie\n var globals = $cookies.getObject('globals') || {};\n \u002F\u002F If the cookie has the CurrentUser and the token\n \u002F\u002F add the Authorization header in each request\n if (globals.currentUser && globals.currentUser.token) {\n config.headers.Authorization = 'Bearer ' + globals.currentUser.token;\n }\n return config;\n }\n };\n }]);\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin will intercept every call to the server and will look for the Authorization Header. If the Authorization header is present, it will try to decode the token and will set the user according to the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as normal.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Sample Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fresource HTTP\u002F1.1\nHost: server.example.com\nAuthorization: Bearer mF_s9.B5f-4.1JqM\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>ERRORS\u003C\u002Fh3>\n\u003Cp>If the token is invalid, an error will be returned. Here are some sample errors:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Invalid Credentials\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n {\n \"code\": \"jwt_auth_failed\",\n \"message\": \"Invalid Credentials.\",\n \"data\": {\n \"status\": 403\n }\n }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Invalid Signature\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n {\n \"code\": \"jwt_auth_invalid_token\",\n \"message\": \"Signature verification failed\",\n \"data\": {\n \"status\": 403\n }\n }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Expired Token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n {\n \"code\": \"jwt_auth_invalid_token\",\n \"message\": \"Expired token\",\n \"data\": {\n \"status\": 403\n }\n }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Need advanced error tracking?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=errors_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> offers enhanced error tracking and monitoring capabilities.\u003C\u002Fp>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fh4>\n\u003Cp>This is a simple helper endpoint to validate a token. You only need to make a POST request with the Authorization header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Valid Token Response\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"code\": \"jwt_auth_valid_token\",\n \"data\": {\n \"status\": 200\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>AVAILABLE HOOKS\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin is developer-friendly and provides five filters to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_cors_allow_headers\u003C\u002Fstrong> filter allows you to modify the available headers when CORS support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_not_before\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Creation time - time()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_expire\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_token_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_sign\u003C\u002Fstrong> filter allows you to modify all token data before it is encoded and signed.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = array(\n 'iss' => get_bloginfo('url'),\n 'iat' => $issuedAt,\n 'nbf' => $notBefore,\n 'exp' => $expire,\n 'data' => array(\n 'user' => array(\n 'id' => $user->data->ID,\n )\n )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Want easier customization?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=hook_payload_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to add custom claims directly through the admin UI.\u003C\u002Fp>\n\u003Ch4>jwt_auth_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_dispatch\u003C\u002Fstrong> filter allows you to modify the response array before it is sent to the client.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = array(\n 'token' => $token,\n 'user_email' => $user->data->user_email,\n 'user_nicename' => $user->data->user_nicename,\n 'user_display_name' => $user->data->display_name,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_algorithm\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_algorithm\u003C\u002Fstrong> filter allows you to modify the signing algorithm.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = JWT::encode(\n apply_filters('jwt_auth_token_before_sign', $token, $user),\n $secret_key,\n apply_filters('jwt_auth_algorithm', 'HS256')\n);\n\n\u002F\u002F ...\n\n$token = JWT::decode(\n $token,\n new Key($secret_key, apply_filters('jwt_auth_algorithm', 'HS256'))\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>JWT Authentication PRO\u003C\u002Fh3>\n\u003Cp>Elevate your WordPress security and integration capabilities with \u003Cstrong>JWT Authentication PRO\u003C\u002Fstrong>. Building upon the solid foundation of the free version, the PRO version offers advanced features, enhanced security options, and a streamlined user experience:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Configuration UI:\u003C\u002Fstrong> Manage all settings directly from the WordPress admin area.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Endpoint:\u003C\u002Fstrong> Allow users to refresh expired tokens seamlessly without requiring re-login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation Endpoint:\u003C\u002Fstrong> Immediately invalidate specific tokens for enhanced security control.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Token Payload:\u003C\u002Fstrong> Add custom claims to your JWT payload to suit your specific application needs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular CORS Control:\u003C\u002Fstrong> Define allowed origins and headers with more precision directly in the settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Protect your endpoints from abuse with configurable rate limits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Audit Logs:\u003C\u002Fstrong> Keep track of token generation, validation, and errors.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Priority Support:\u003C\u002Fstrong> Get faster, dedicated support directly from the developer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=pro_section_cta\" rel=\"nofollow ugc\">Upgrade to JWT Authentication PRO Today!\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Free vs. PRO Comparison\u003C\u002Fh3>\n\u003Cp>Here’s a quick look at the key differences:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Basic JWT Authentication:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Generation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Validation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Mechanism:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Management Dashboard:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Analytics & Monitoring:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geo-IP Identification:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Documentation:\u003C\u002Fstrong> Basic (Free), Comprehensive (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Tools:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support:\u003C\u002Fstrong> Community via GitHub (Free), Priority Direct Support (PRO)\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.",60000,893830,53,"2026-02-18T00:58:00.000Z","4.2","7.4.0",[147,21,148,69,149],"json-web-authentication","oauth","wp-api","https:\u002F\u002Fenriquechavez.co","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authentication-for-wp-rest-api.1.5.0.zip",{"attackSurface":153,"codeSignals":234,"taintFlows":264,"riskAssessment":282,"analyzedAt":293},{"hooks":154,"ajaxHandlers":219,"restRoutes":225,"shortcodes":226,"cronEvents":231,"entryPointCount":49,"unprotectedCount":27},[155,161,167,169,173,176,180,183,187,192,196,199,202,205,209,213,216],{"type":156,"name":157,"callback":158,"file":159,"line":160},"filter","rest_allowed_cors_headers","closure","class-auth.php",113,{"type":162,"name":163,"callback":164,"file":165,"line":166},"action","show_user_profile","custom_user_profile_fields","class-devices.php",21,{"type":162,"name":168,"callback":164,"file":165,"line":14},"edit_user_profile",{"type":162,"name":170,"callback":170,"priority":171,"file":165,"line":172},"profile_update",10,27,{"type":162,"name":174,"callback":174,"priority":171,"file":165,"line":175},"after_password_reset",28,{"type":162,"name":177,"callback":178,"priority":171,"file":165,"line":179},"user_register","after_user_creation",29,{"type":156,"name":181,"callback":181,"priority":171,"file":165,"line":182},"jwt_auth_payload",31,{"type":156,"name":184,"callback":185,"priority":171,"file":165,"line":186},"jwt_auth_extra_token_check","check_device_and_pass",32,{"type":162,"name":188,"callback":189,"file":190,"line":191},"init","setup_text_domain","class-setup.php",34,{"type":162,"name":193,"callback":194,"file":190,"line":195},"rest_api_init","register_rest_routes",39,{"type":156,"name":193,"callback":197,"file":190,"line":198},"add_cors_support",40,{"type":156,"name":200,"callback":200,"priority":171,"file":190,"line":201},"rest_pre_dispatch",41,{"type":156,"name":203,"callback":203,"file":190,"line":204},"determine_current_user",42,{"type":162,"name":206,"callback":207,"file":190,"line":208},"jwt_auth_purge_expired_refresh_tokens","cron_purge_expired_refresh_tokens",54,{"type":162,"name":210,"callback":211,"priority":171,"file":212,"line":166},"in_plugin_update_message-jwt-auth\u002Fjwt-auth.php","display_update_warnings","class-update.php",{"type":162,"name":214,"callback":215,"file":212,"line":14},"admin_notices","display_future_update_warning",{"type":162,"name":217,"callback":188,"file":212,"line":218},"admin_init",23,[220],{"action":221,"nopriv":222,"callback":221,"hasNonce":223,"hasCapCheck":222,"file":165,"line":224},"remove_device",false,true,24,[],[227],{"tag":228,"callback":229,"file":165,"line":230},"jwt_auth_devices","shortcode_jwt_auth_devices",25,[232],{"hook":206,"callback":206,"file":190,"line":233},52,{"dangerousFunctions":235,"sqlUsage":236,"outputEscaping":239,"fileOperations":27,"externalRequests":27,"nonceChecks":26,"capabilityChecks":26,"bundledLibraries":260},[],{"prepared":237,"raw":27,"locations":238},4,[],{"escaped":240,"rawEcho":171,"locations":241},33,[242,245,247,249,251,252,253,255,257,258],{"file":165,"line":243,"context":244},317,"raw output",{"file":165,"line":246,"context":244},394,{"file":212,"line":248,"context":244},47,{"file":212,"line":250,"context":244},49,{"file":212,"line":123,"context":244},{"file":212,"line":233,"context":244},{"file":212,"line":254,"context":244},58,{"file":212,"line":256,"context":244},72,{"file":212,"line":83,"context":244},{"file":212,"line":259,"context":244},79,[261],{"name":262,"version":36,"knownCves":263},"Guzzle",[],[265],{"entryPoint":266,"graph":267,"unsanitizedCount":27,"severity":281},"\u003Cclass-devices> (class-devices.php:0)",{"nodes":268,"edges":279},[269,274],{"id":270,"type":271,"label":272,"file":165,"line":273},"n0","source","$_POST (x4)",289,{"id":275,"type":276,"label":277,"file":165,"line":246,"wp_function":278},"n1","sink","echo() [XSS]","echo",[280],{"from":270,"to":275,"sanitized":223},"low",{"summary":283,"deductions":284},"The jwt-auth plugin, version 3.0.2, exhibits a generally good security posture with several strengths, including 100% of SQL queries using prepared statements and a single nonce check and capability check present. The absence of dangerous functions, file operations, and external HTTP requests, coupled with no critical or high severity taint flows, indicates careful coding practices in these areas. However, a critical vulnerability in its history, specifically an 'Access of Resource Using Incompatible Type' type, despite being patched, warrants attention and suggests that the plugin may be susceptible to complex vulnerabilities. The relatively low number of total entry points (2) with none noted as unprotected is also a positive indicator.",[285,288,291],{"reason":286,"points":287},"Critical vulnerability in history (Type Confusion)",15,{"reason":289,"points":290},"Bundled library (Guzzle) - potential for outdated versions",3,{"reason":292,"points":237},"77% proper output escaping - 23% potentially unescaped","2026-03-16T18:04:25.124Z",{"wat":295,"direct":308},{"assetPaths":296,"generatorPatterns":301,"scriptPaths":302,"versionParams":303},[297,298,299,300],"\u002Fwp-content\u002Fplugins\u002Fjwt-auth\u002Fassets\u002Fcss\u002Fjwt-auth-admin.css","\u002Fwp-content\u002Fplugins\u002Fjwt-auth\u002Fassets\u002Fjs\u002Fjwt-auth-admin.js","\u002Fwp-content\u002Fplugins\u002Fjwt-auth\u002Fassets\u002Fjs\u002Fjwt-auth-blocks.js","\u002Fwp-content\u002Fplugins\u002Fjwt-auth\u002Fassets\u002Fjs\u002Fjwt-auth-admin-react.js",[],[298,299,300],[304,305,306,307],"jwt-auth\u002Fassets\u002Fcss\u002Fjwt-auth-admin.css?ver=","jwt-auth\u002Fassets\u002Fjs\u002Fjwt-auth-admin.js?ver=","jwt-auth\u002Fassets\u002Fjs\u002Fjwt-auth-blocks.js?ver=","jwt-auth\u002Fassets\u002Fjs\u002Fjwt-auth-admin-react.js?ver=",{"cssClasses":309,"htmlComments":311,"htmlAttributes":312,"restEndpoints":314,"jsGlobals":318,"shortcodeOutput":320},[310],"jwt-auth-admin-wrapper",[],[313],"data-jwt-auth-nonce",[315,316,317],"\u002Fjwt-auth\u002Fv1\u002Ftoken","\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate","\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Frefresh",[319],"jwt_auth_ajax_object",[]]