[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4mCaiX25ExAm7P4TDh-LWtG9A3KdWSToFIdBXB0rr_c":3,"$fiOGEbMSy9gCTNU-l22mlgEYR_8QNNFNQ60MqisH1Is0":205,"$fB5QLJ38FG-rb2XQmSwii0V2oO-cJxfKGqNnm6WVdgLQ":210},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"discovery_status":29,"vulnerabilities":30,"developer":31,"crawl_stats":27,"alternatives":38,"analysis":134,"fingerprints":191},"jwt-authenticator","JWT Authenticator","1.1","Shawn","https:\u002F\u002Fprofiles.wordpress.org\u002Fshawnxlw\u002F","\u003Cp>This plugin integrates JWT authentication and automates user creation. The plugin is written for AAF Rapid Connect, but can be used for other providers too.\u003C\u002Fp>\n\u003Cp>Here is how this plugin works:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Generate a secrete key with command: tr -dc ‘[[:alnum:][:punct:]]’ \u003C \u002Fdev\u002Furandom | head -c32 ;echo\u003C\u002Fli>\n\u003Cli>Register the key and call back URL http:\u002F\u002Fyoursite.com\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Fcallback with your authentication provider.\u003C\u002Fli>\n\u003Cli>Specify authentication and user creation parameters. Those marked with * are required.\u003C\u002Fli>\n\u003C\u002Fol>\n","This plugin integrates JWT authentication and automates user creation.",10,1727,0,"2016-12-01T17:58:00.000Z","4.6.30","3.2","",[19,20,21,22,23],"authentication","jwt","login","sso","token","https:\u002F\u002Fshawnwang.net","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authenticator.zip",85,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":32,"display_name":7,"profile_url":8,"plugin_count":33,"total_installs":34,"avg_security_score":26,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"shawnxlw",2,20,30,84,"2026-05-20T08:01:12.807Z",[39,57,75,96,117],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":11,"downloaded":47,"rating":13,"num_ratings":13,"last_updated":48,"tested_up_to":49,"requires_at_least":50,"requires_php":51,"tags":52,"homepage":17,"download_link":54,"security_score":55,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":56},"ah-jwt-auth","AH JWT Auth","1.5.4","andrewheberle","https:\u002F\u002Fprofiles.wordpress.org\u002Fandrewheberle\u002F","\u003Cp>This plugin allows sign in to WordPress using a JSON Web Token (JWT) contained in a HTTP Header that is added by a reverse proxy\u003Cbr \u002F>\nthat sits in front of your WordPress deployment.\u003C\u002Fp>\n\u003Cp>Authentication and optionally role assignment is handled by claims contained in the JWT.\u003C\u002Fp>\n\u003Cp>Verification of the JWT is handled by either:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>a shared secret key\u003C\u002Fli>\n\u003Cli>retrieving a JSON Web Key Set (JWKS) from a configured URL\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>During the login process if the user does not exist an account will be created with a matching role from the JWT.\u003C\u002Fp>\n\u003Cp>If the JWT did not contain a role claim then user is created with the role set in the plugin settings (by default this is the subscriber role).\u003C\u002Fp>\n","This plugin allows sign in to WordPress using a JSON Web Token (JWT) contained in a HTTP Header.",2435,"2025-03-05T04:43:00.000Z","6.7.5","4.7","7.0",[53,19,20,21,22],"auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fah-jwt-auth.1.5.4.zip",92,"2026-03-15T15:16:48.613Z",{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":13,"downloaded":65,"rating":13,"num_ratings":13,"last_updated":66,"tested_up_to":67,"requires_at_least":68,"requires_php":69,"tags":70,"homepage":17,"download_link":72,"security_score":73,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":74},"twelve-legs-marketing-sso","Twelve Legs Marketing SSO","1.0.2","websitetwelvelegsmarketing","https:\u002F\u002Fprofiles.wordpress.org\u002Fwebsitetwelvelegsmarketing\u002F","\u003Cp>TWL SSO is a secure single sign-on plugin for WordPress that enables seamless authentication using RS256 JWT tokens from an external SSO application.\u003Cbr \u002F>\nThis plugin provides login security features and is designed for allowing Twelve Legs Marketing centralized authentication management.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Single Sign In\u003C\u002Fstrong>: Agency employees can log into websites they manage from a central dashboard.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Just-in-Time User Provisioning\u003C\u002Fstrong>: Automatic user creation and role assignment\u003C\u002Fli>\n\u003Cli>\u003Cstrong>JWT Validation\u003C\u002Fstrong>: Full RS256 signature verification with JWKS endpoint integration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Key Rotation\u003C\u002Fstrong>: Support key rotation through JWKS endpoint\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role Management\u003C\u002Fstrong>: Flexible role assignment from JWT claims\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Referrer Validation\u003C\u002Fstrong>: Enhanced security through referrer validation\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Audience Validation\u003C\u002Fstrong>: Ensures tokens are valid for the specific WordPress site\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Expiration\u003C\u002Fstrong>: Built-in token expiration and clock skew tolerance\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Validation\u003C\u002Fstrong>: Comprehensive email validation with optional allowlist\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Caching\u003C\u002Fstrong>: JWKS caching for improved performance\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Referrer validation to prevent unauthorized access\u003C\u002Fli>\n\u003Cli>JWT signature verification using public key cryptography\u003C\u002Fli>\n\u003Cli>Issuer validation to ensure tokens come from trusted sources\u003C\u002Fli>\n\u003Cli>Audience validation to prevent token reuse across sites\u003C\u002Fli>\n\u003Cli>Token expiration validation with configurable leeway\u003C\u002Fli>\n\u003Cli>Email format validation and filtering via hook\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Use Cases\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress installations managed centrally by agency\u003C\u002Fli>\n\u003Cli>Organization using Google for external identity provider\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Ch4>Authentication Flow\u003C\u002Fh4>\n\u003Col>\n\u003Cli>User clicks login link from SSO application sso.twelvelegsmarketing.com\u003C\u002Fli>\n\u003Cli>SSO application redirects to WordPress with JWT token: \u003Ccode>\u002Fwp-login.php?action=twl_sso&token=JWT_TOKEN\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Plugin validates the JWT token signature and claims\u003C\u002Fli>\n\u003Cli>Plugin extracts user information from JWT claims\u003C\u002Fli>\n\u003Cli>Plugin creates or retrieves WordPress user\u003C\u002Fli>\n\u003Cli>Plugin assigns appropriate role based on JWT claims\u003C\u002Fli>\n\u003Cli>User is logged into WordPress\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>JWT Claims\u003C\u002Fh4>\n\u003Cp>The plugin expects the following JWT claims:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>email\u003C\u002Fcode> or \u003Ccode>sub\u003C\u002Fcode>: User’s email address\u003C\u002Fli>\n\u003Cli>\u003Ccode>iss\u003C\u002Fcode>: Issuer (must match allowed issuers)\u003C\u002Fli>\n\u003Cli>\u003Ccode>aud\u003C\u002Fcode>: Audience (must match WordPress site URL)\u003C\u002Fli>\n\u003Cli>\u003Ccode>exp\u003C\u002Fcode>: Expiration time\u003C\u002Fli>\n\u003Cli>\u003Ccode>nbf\u003C\u002Fcode>: Not before time (optional)\u003C\u002Fli>\n\u003Cli>\u003Ccode>wp_role\u003C\u002Fcode>: WordPress role to assign (optional)\u003C\u002Fli>\n\u003Cli>\u003Ccode>name\u003C\u002Fcode>: User’s display name (optional)\u003C\u002Fli>\n\u003Cli>\u003Ccode>given_name\u003C\u002Fcode>: User’s first name (optional)\u003C\u002Fli>\n\u003Cli>\u003Ccode>family_name\u003C\u002Fcode>: User’s last name (optional)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Configuration\u003C\u002Fh4>\n\u003Cp>The plugin automatically configures itself based on the WordPress environment:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Production\u003C\u002Fstrong>: Only allows \u003Ccode>https:\u002F\u002Fsso.twelvelegsmarketing.com\u003C\u002Fcode> as issuer\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Development\u002FStaging\u003C\u002Fstrong>: Also allows \u003Ccode>https:\u002F\u002Flocalhost:8443\u003C\u002Fcode> as issuer\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Customization\u003C\u002Fh4>\n\u003Cp>You can customize the plugin behavior using WordPress filters:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>twl_sso_allow_email\u003C\u002Fcode>: Filter to control which email addresses are allowed\u003C\u002Fli>\n\u003Cli>\u003Ccode>twl_sso_allowed_roles\u003C\u002Fcode>: Filter to control which roles can be assigned\u003C\u002Fli>\n\u003Cli>\u003Ccode>twl_sso_allowed_issuers\u003C\u002Fcode>: Filter to control which issuers are allowed\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support, please contact Twelve Legs Marketing at https:\u002F\u002Ftwelvelegsmarketing.com\u003C\u002Fp>\n\u003Ch3>Privacy Policy\u003C\u002Fh3>\n\u003Cp>This plugin does not collect, store, or transmit any personal data. All authentication is handled through secure JWT tokens from your configured SSO provider.\u003C\u002Fp>\n","Single sign-on plugin for WordPress that accepts RS256 JWTs from the TWL SSO application for secure authentication.",202,"2025-10-22T14:34:00.000Z","6.8.5","5.8","8.0",[19,20,21,71,22],"single-sign-on","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftwelve-legs-marketing-sso.1.0.2.zip",100,"2026-04-06T09:54:40.288Z",{"slug":76,"name":77,"version":78,"author":79,"author_profile":80,"description":81,"short_description":82,"active_installs":83,"downloaded":84,"rating":55,"num_ratings":85,"last_updated":86,"tested_up_to":67,"requires_at_least":87,"requires_php":88,"tags":89,"homepage":92,"download_link":93,"security_score":55,"vuln_count":94,"unpatched_count":13,"last_vuln_date":95,"fetched_at":28},"google-apps-login","Login for Google Apps","3.5.2","Syed Balkhi","https:\u002F\u002Fprofiles.wordpress.org\u002Fsmub\u002F","\u003Cp>Login for Google Apps allows existing WordPress user accounts to log in to your website using Google to securely authenticate their account. This means that if they are already logged into Gmail – they can simply click their way through the WordPress login screen – no username or password is explicitly required!\u003C\u002Fp>\n\u003Cp>Login for Google Apps uses \u003Cstrong>secure oAuth2 authentication recommended by Google\u003C\u002Fstrong>, including 2-factor authentication (2FA) if enabled for your Google Workspace (formerly known as Google Apps and G Suite) accounts.\u003C\u002Fp>\n\u003Cp>This is far simpler to configure than the older SAML protocol.\u003C\u002Fp>\n\u003Cp>Login for Google Apps is trusted by thousands of organizations from schools to large public companies. Login for Google Apps for WordPress is the most popular enterprise grade plugin enabling login and user management based on your Google Workspace domain.\u003C\u002Fp>\n\u003Cp>Its plugin setup requires you to have admin access to any Google Workspace domain, or a regular Gmail account, to register and obtain two simple codes from Google.\u003C\u002Fp>\n\u003Ch4>Support and Premium features\u003C\u002Fh4>\n\u003Cp>Full support and premium features are also available for purchase:\u003C\u002Fp>\n\u003Cp>Eliminate the need for Google Workspace (previously called “Google Apps and G Suite”) domain admins to separately manage WordPress user accounts, and get peace of mind that only authorized employees have access to your organization’s websites and intranet.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>See \u003Ca href=\"https:\u002F\u002Fwp-glogin.com\u002Fglogin\u002F?utm_source=Login%20Readme%20Top&utm_medium=freemium&utm_campaign=Freemium\" rel=\"nofollow ugc\">our website at wp-glogin.com\u003C\u002Fa> for more details.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>The Premium version allows everyone in your Google Workspace (Google Apps \u002F G Suite) domain to log in to WordPress – an account will be automatically created in WordPress if one doesn’t already exist.\u003C\u002Fp>\n\u003Cp>Our Enterprise version goes further, allowing you to specify granular access and role controls based on Google Group or Organizational Unit membership.\u003C\u002Fp>\n\u003Cp>You can also see logs of accounts created and roles changed by the plugin.\u003C\u002Fp>\n\u003Ch4>Extensible Platform\u003C\u002Fh4>\n\u003Cp>Login for Google Apps allows you to centralize your site’s Google functionality and build your own extensions, or use third-party extensions, which require no configuration themselves and share the same user authentication and permissions that users already allowed for Login for Google Apps itself.\u003C\u002Fp>\n\u003Cp>Using our platform, your website appears to Google accounts as one unified ‘web application’, making it more secure and easier to manage.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwp-glogin.com\u002Fwpgoogledriveembedder\" rel=\"nofollow ugc\">Google Drive Embedder\u003C\u002Fa> is an extension plugin allowing\u003Cbr \u002F>\nusers to browse for Google Drive documents to embed directly in their posts or pages.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwp-glogin.com\u002Fwpgoogleappsdirectory\" rel=\"nofollow ugc\">Google Apps Directory\u003C\u002Fa> is an extension plugin allowing\u003Cbr \u002F>\nlogged-in users to search your Google Apps employee directory from a widget on your intranet or client site.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwp-glogin.com\u002Favatars\u002F?utm_source=Login%20Readme%20Avatars&utm_medium=freemium&utm_campaign=Freemium\" rel=\"nofollow ugc\">Google Profile Avatars\u003C\u002Fa>\u003Cbr \u002F>\nis available on our website. It displays users’ Google profile photos in place of their avatars throughout your site.\u003C\u002Fp>\n\u003Cp>Login for Google Apps works on single or multisite WordPress websites or private intranets.\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cp>One-click login will work for the following domains and user accounts:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Google Workspace Starter\u003C\u002Fli>\n\u003Cli>Google Workspace Business Standard\u003C\u002Fli>\n\u003Cli>Google Workspace Business Plus\u003C\u002Fli>\n\u003Cli>Google Workspace Enterprise\u003C\u002Fli>\n\u003Cli>Google Workspace for Nonprofits\u003C\u002Fli>\n\u003Cli>Google Workspace for Government\u003C\u002Fli>\n\u003Cli>Google Classroom (Google Workspace for Education)\u003C\u002Fli>\n\u003Cli>Personal gmail.com and googlemail.com emails\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Login for Google Apps uses the latest secure OAuth2 authentication recommended by Google. Other 3rd party authentication plugins may allow you to use your Google username and password to login, but they do not do this securely unless they also use OAuth2. This is discussed further in the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fgoogle-apps-login\u002F#faq\" rel=\"ugc\">FAQ\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Translations\u003C\u002Fh4>\n\u003Cp>This plugin currently operates in multiple languages.\u003C\u002Fp>\n\u003Cp>We welcome volunteers to translate into their own language. If you would like to contribute a translation, please open the WordPress.org \u003Ca href=\"https:\u002F\u002Ftranslate.wordpress.org\u002Fprojects\u002Fwp-plugins\u002Fgoogle-apps-login\u002F\" rel=\"nofollow ugc\">Translation portal\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Website and Upgrades\u003C\u002Fh4>\n\u003Cp>Please see our website \u003Ca href=\"https:\u002F\u002Fwp-glogin.com\u002F?utm_source=Login%20Readme%20Website&utm_medium=freemium&utm_campaign=Freemium\" rel=\"nofollow ugc\">https:\u002F\u002Fwp-glogin.com\u002F\u003C\u002Fa> for more information about this free plugin and extra features available in our Premium and Enterprise upgrades, plus support details, other plugins, and useful guides for admins of WordPress sites and Google Apps.\u003C\u002Fp>\n\u003Cp>The \u003Ca href=\"https:\u002F\u002Fwp-glogin.com\u002Fglogin\u002F?utm_source=Login%20Readme%20PremEnt&utm_medium=freemium&utm_campaign=Freemium\" rel=\"nofollow ugc\">Premium and Enterprise versions\u003C\u002Fa> eliminate the need to manage user accounts in your WordPress site – everything is synced from Google Apps instead.\u003C\u002Fp>\n\u003Cp>If you are building your organization’s intranet on WordPress, try out our \u003Ca href=\"https:\u002F\u002Fwp-glogin.com\u002Fintranet\u002F?utm_source=Login%20Readme%20AIOI&utm_medium=freemium&utm_campaign=Freemium\" rel=\"nofollow ugc\">All-In-One Intranet plugin\u003C\u002Fa>.\u003C\u002Fp>\n","Simple secure login and user management through your Google Workspace for WordPress (using oAuth2 and MFA if enabled).",10000,664671,64,"2025-05-08T16:01:00.000Z","5.5","7.2",[19,90,21,91,22],"google","oauth","https:\u002F\u002Fwp-glogin.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-apps-login.3.5.2.zip",1,"2022-12-01 00:00:00",{"slug":97,"name":98,"version":99,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":104,"downloaded":105,"rating":73,"num_ratings":106,"last_updated":107,"tested_up_to":108,"requires_at_least":109,"requires_php":88,"tags":110,"homepage":113,"download_link":114,"security_score":115,"vuln_count":94,"unpatched_count":13,"last_vuln_date":116,"fetched_at":28},"jwt-auth","JWT Auth – WordPress JSON Web Token Authentication","3.0.2","Bagus","https:\u002F\u002Fprofiles.wordpress.org\u002Fcontactjavas\u002F","\u003Cp>WordPress JSON Web Token Authentication allows you to do REST API authentication via token. It is a simple, non-complex, and easy to use. This plugin probably is the most convenient way to do JWT Authentication in WordPress.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Support & question: \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fjwt-auth\u002F\" rel=\"ugc\">WordPress support forum\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Reporting plugin’s bug: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub issues tracker\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdiscord.gg\u002FDgECpEg\" rel=\"nofollow ugc\">Discord channel\u003C\u002Fa> also available for faster response.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Upgrading to v3\u003C\u002Fh3>\n\u003Cp>When updating from v2 to v3, familiarise yourself with its changes to ensure that your site continues to work as expected:\u003C\u002Fp>\n\u003Ch4>New: Refresh tokens ([docs](https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth#refreshing-the-access-token))\u003C\u002Fh4>\n\u003Cp>Key changes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Default JWT access token expiry time has been reduced from 7 days to 10 minutes.\u003C\u002Fli>\n\u003Cli>On expiry of a JWT, clients need to retrieve a new access token using the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth#refreshing-the-access-token\" rel=\"nofollow ugc\">refresh token as described here\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>To retain the 7 day expiry time, use the hook \u003Ccode>jwt_auth_expire\u003C\u002Fcode>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Removed Whitelist\u003C\u002Fh4>\n\u003Cp>Key changes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>You no longer need to whitelist REST paths from other plugins with the hook \u003Ccode>jwt_auth_whitelist\u003C\u002Fcode>. You can remove the hook.\u003C\u002Fli>\n\u003Cli>Instead, custom REST API routes should have access requirements specified with the \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002Fextending-the-rest-api\u002Fadding-custom-endpoints\u002F#permissions-callback\" rel=\"nofollow ugc\">permissions callback\u003C\u002Fa> when it is registered.\u003C\u002Fli>\n\u003Cli>This means that if a route requires authentication, any authentication method can be used and this should reduce conflicts between this and other plugins. See \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fpull\u002F60\" rel=\"nofollow ugc\">this discussion\u003C\u002Fa> for further information.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Enable PHP HTTP Authorization Header\u003C\u002Fh3>\n\u003Ch4>Shared Hosts\u003C\u002Fh4>\n\u003Cp>Most shared hosts have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPEngine\u003C\u002Fh4>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following (see \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1\" rel=\"nofollow ugc\">this issue\u003C\u002Fa>):\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Ch4>Configurate the Secret Key\u003C\u002Fh4>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never be revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can use a string from \u003Ca href=\"https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\" rel=\"nofollow ugc\">here\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Configurate CORs Support\u003C\u002Fh4>\n\u003Cp>This plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORs\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable the CORs Support edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, three new \u003Cem>POST\u003C\u002Fem> endpoints are added to this namespace.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\n\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Requesting\u002F Generating Token\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>To generate token, submit a POST request to this endpoint. With \u003Ccode>username\u003C\u002Fcode> and \u003Ccode>password\u003C\u002Fcode> as the parameters.\u003C\u002Fp>\n\u003Cp>It will validates the user credentials, and returns success response including a token if the authentication is correct or returns an error response if the authentication is failed.\u003C\u002Fp>\n\u003Cp>You can use the optional parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to let user manage the device access in your profile. If this parameter is empty, it is ignored.\u003C\u002Fp>\n\u003Ch4>Sample of success response when trying to generate token:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": true,\n    \"statusCode\": 200,\n    \"code\": \"jwt_auth_valid_credential\",\n    \"message\": \"Credential is valid\",\n    \"data\": {\n        \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvcG9pbnRzLmNvdXZlZS5jby5pZCIsImlhdCI6MTU4ODQ5OTE0OSwibmJmIjoxNTg4NDk5MTQ5LCJleHAiOjE1ODkxMDM5NDksImRhdGEiOnsidXNlciI6eyJpZCI6MX19fQ.w3pf5PslhviHohmiGF-JlPZV00XWE9c2MfvBK7Su9Fw\",\n        \"id\": 1,\n        \"email\": \"contactjavas@gmail.com\",\n        \"nicename\": \"contactjavas\",\n        \"firstName\": \"Bagus Javas\",\n        \"lastName\": \"Heruyanto\",\n        \"displayName\": \"contactjavas\"\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of error response when trying to generate token:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 403,\n    \"code\": \"invalid_username\",\n    \"message\": \"Unknown username. Try again or check your email address.\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application. It can be:\u003Cbr \u002F>\n– using \u003Cstrong>cookie\u003C\u002Fstrong>\u003Cbr \u002F>\n– or using \u003Cstrong>localstorage\u003C\u002Fstrong>\u003Cbr \u002F>\n– or using a wrapper like \u003Ca href=\"https:\u002F\u002Flocalforage.github.io\u002FlocalForage\u002F\" rel=\"nofollow ugc\">localForage\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fpouchdb.com\u002F\" rel=\"nofollow ugc\">PouchDB\u003C\u002Fa>\u003Cbr \u002F>\n– or using local database like SQLite or \u003Ca href=\"https:\u002F\u002Fdocs.hivedb.dev\u002F#\u002F\" rel=\"nofollow ugc\">Hive\u003C\u002Fa>\u003Cbr \u002F>\n– or your choice based on app you develop 😉\u003C\u002Fp>\n\u003Cp>Then you should pass this token as \u003Cem>Bearer Authentication\u003C\u002Fem> header to every API call. The header format is:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Authorization: Bearer your-generated-token\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>and here’s an example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\"Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvcG9pbnRzLmNvdXZlZS5jby5pZCIsImlhdCI6MTU4ODQ5OTE0OSwibmJmIjoxNTg4NDk5MTQ5LCJleHAiOjE1ODkxMDM5NDksImRhdGEiOnsidXNlciI6eyJpZCI6MX19fQ.w3pf5PslhviHohmiGF-JlPZV00XWE9c2MfvBK7Su9Fw\";\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>jwt-auth\u003C\u002Fstrong> will intercept every call to the server and will look for the authorization header, if the authorization header is present, it will try to decode the token and will set the user according with the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as always.\u003C\u002Fp>\n\u003Ch3>Validating Token\u003C\u002Fh3>\n\u003Cp>You likely \u003Cstrong>don’t need\u003C\u002Fstrong> to validate the token your self. The plugin handle it for you like explained above.\u003C\u002Fp>\n\u003Cp>But if you want to test or validate the token manually, then send a \u003Cstrong>POST\u003C\u002Fstrong> request to this endpoint (don’t forget to set your \u003Cem>Bearer Authorization\u003C\u002Fem> header):\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Valid Token Response:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": true,\n    \"statusCode\": 200,\n    \"code\": \"jwt_auth_valid_token\",\n    \"message\": \"Token is valid\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Refreshing the Access Token\u003C\u002Fh3>\n\u003Cp>For security reasons, third-party applications that are integrating with your authentication server will not store the user’s username and password. Instead they will store the refresh token in a user-specific storage that is only accessible for the user. The refresh token can be used to re-authenticate as the same user and generate a new access token.\u003C\u002Fp>\n\u003Cp>When authenticating with \u003Ccode>username\u003C\u002Fcode> and \u003Ccode>password\u003C\u002Fcode> as the parameters to \u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fcode>, a refresh token is sent as a cookie in the response.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>To generate new access token using the refresh token, submit a POST request to the token endpoint together with the \u003Ccode>refresh_token\u003C\u002Fcode> cookie.\u003C\u002Fp>\n\u003Cp>Use the optional parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to associate the token with that device.\u003C\u002Fp>\n\u003Cp>If the refresh token is valid, then you receive a new access token in the response.\u003C\u002Fp>\n\u003Cp>By default, each access token expires after 10 minutes.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>To generate new refresh token using the refresh token, submit a POST request to the token refresh endpoint together with the \u003Ccode>refresh_token\u003C\u002Fcode> cookie.\u003C\u002Fp>\n\u003Cp>Use the optional parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to associate the refresh token with that device.\u003C\u002Fp>\n\u003Cp>If the refresh token is valid, then you receive a new refresh token as a cookie in the response.\u003C\u002Fp>\n\u003Cp>By default, each refresh token expires after 30 days.\u003C\u002Fp>\n\u003Ch4>Refresh Token Rotation\u003C\u002Fh4>\n\u003Cp>Whenever you are authenticating afresh or refreshing the refresh token, only the last issued refresh token remains valid. All previously issued refresh tokens can no longer be used.\u003C\u002Fp>\n\u003Cp>This means that a refresh token cannot be shared. To allow multiple devices to authenticate in parallel without losing access after another device re-authenticated, use the parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to associate the refresh token only with that device.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl -F device=\"abc-def\" -F username=myuser -F password=mypass \u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\n\ncurl -F device=\"abc-def\" -b \"refresh_token=123.abcdef...\" \u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\n\ncurl -F device=\"abc-def\" -b \"refresh_token=123.abcdef...\" \u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Errors\u003C\u002Fh3>\n\u003Cp>If the token is invalid an error will be returned. Here are some samples of errors:\u003C\u002Fp>\n\u003Ch4>No Secret Key\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 403,\n    \"code\": \"jwt_auth_bad_config\",\n    \"message\": \"JWT is not configured properly.\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>No HTTP_AUTHORIZATION Header\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 403,\n    \"code\": \"jwt_auth_no_auth_header\",\n    \"message\": \"Authorization header not found.\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Iss\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 403,\n    \"code\": \"jwt_auth_bad_iss\",\n    \"message\": \"The iss do not match with this server.\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Signature\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 403,\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Signature verification failed\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Incomplete Payload\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 403,\n    \"code\": \"jwt_auth_bad_request\",\n    \"message\": \"User ID not found in the token.\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>User Not Found\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 403,\n    \"code\": \"jwt_auth_user_not_found\",\n    \"message\": \"User doesn't exist\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Expired Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 403,\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Expired token\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Obsolete Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 403,\n    \"code\": \"jwt_auth_obsolete_token\",\n    \"message\": \"Token is obsolete\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Refresh Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 401,\n    \"code\": \"jwt_auth_invalid_refresh_token\",\n    \"message\": \"Invalid refresh token\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Obsolete Refresh Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 401,\n    \"code\": \"jwt_auth_obsolete_refresh_token\",\n    \"message\": \"Refresh token is obsolete\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Expired Refresh Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"success\": false,\n    \"statusCode\": 401,\n    \"code\": \"jwt_auth_expired_refresh_token\",\n    \"message\": \"Refresh token has expired\",\n    \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Available Filter Hooks\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>JWT Auth\u003C\u002Fstrong> is developer friendly and has some filters available to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_cors_allow_headers\u003C\u002Fcode> allows you to modify the available headers when the CORs support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'X-Requested-With, Content-Type, Accept, Origin, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the allowed CORS headers.\n *\n * @param string $headers The allowed headers.\n * @return string The allowed headers.\n *\u002F\nadd_filter(\n    'jwt_auth_cors_allow_headers',\n    function ( $headers ) {\n        \u002F\u002F Modify the headers here.\n        return $headers;\n    }\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_iss\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_iss\u003C\u002Fstrong> allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.1\" rel=\"nofollow ugc\">\u003Cstrong>iss\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>get_bloginfo( 'url' )\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token issuer.\n *\n * @param string $iss The token issuer.\n * @return string The token issuer.\n *\u002F\nadd_filter(\n    'jwt_auth_iss',\n    function ( $iss ) {\n        \u002F\u002F Modify the \"iss\" here.\n        return $iss;\n    }\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_not_before\u003C\u002Fcode> allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F\u002F Creation time.\ntime()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's nbf value.\n *\n * @param int $not_before The default \"nbf\" value in timestamp.\n * @param int $issued_at The \"iat\" value in timestamp.\n *\n * @return int The \"nbf\" value.\n *\u002F\nadd_filter(\n    'jwt_auth_not_before',\n    function ( $not_before, $issued_at ) {\n        \u002F\u002F Modify the \"not_before\" here.\n        return $not_before;\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_expire\u003C\u002Fcode> allows you to change the value \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's expire value.\n *\n * @param int $expire The default \"exp\" value in timestamp.\n * @param int $issued_at The \"iat\" value in timestamp.\n *\n * @return int The \"nbf\" value.\n *\u002F\nadd_filter(\n    'jwt_auth_expire',\n    function ( $expire, $issued_at ) {\n        \u002F\u002F Modify the \"expire\" here.\n        return $expire;\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_refresh_expire\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_refresh_expire\u003C\u002Fcode> filter hook allows you to change the expiration date of the refresh token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 30)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the refresh token's expiration time.\n *\n * @param int $expire The default expiration timestamp.\n * @param int $issued_at The current time.\n *\n * @return int The custom refresh token expiration timestamp.\n *\u002F\nadd_filter(\n    'jwt_auth_refresh_expire',\n    function ( $expire, $issued_at ) {\n        \u002F\u002F Modify the \"expire\" here.\n        return $expire;\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_alg\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_alg\u003C\u002Fcode> allows you to change the supported signing \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-jose-json-web-algorithms-40\" rel=\"nofollow ugc\">algorithm\u003C\u002Fa> for your application.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'HS256'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's signing algorithm.\n *\n * @param string $alg The default supported signing algorithm.\n * @return string The supported signing algorithm.\n *\u002F\nadd_filter(\n    'jwt_auth_alg',\n    function ( $alg ) {\n        \u002F\u002F Change the signing algorithm here.\n        return $alg;\n    }\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_payload\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_payload\u003C\u002Fcode> allows you to modify all the payload \u002F token data before being encoded and signed.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n$token = array(\n    'iss' => get_bloginfo('url'),\n    'iat' => $issued_at,\n    'nbf' => $not_before,\n    'exp' => $expire,\n    'data' => array(\n        'user' => array(\n            'id' => $user->ID,\n        )\n    )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the payload\u002F token's data before being encoded & signed.\n *\n * @param array $payload The default payload\n * @param WP_User $user The authenticated user.\n * .\n * @return array The payload\u002F token's data.\n *\u002F\nadd_filter(\n    'jwt_auth_payload',\n    function ( $payload, $user ) {\n        \u002F\u002F Modify the payload here.\n        return $payload;\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_valid_credential_response\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_valid_credential_response\u003C\u002Fcode> allows you to modify the valid credential response when generating a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n$response = array(\n    'success'    => true,\n    'statusCode' => 200,\n    'code'       => 'jwt_auth_valid_credential',\n    'message'    => __( 'Credential is valid', 'jwt-auth' ),\n    'data'       => array(\n        'token'       => $token,\n        'id'          => $user->ID,\n        'email'       => $user->user_email,\n        'nicename'    => $user->user_nicename,\n        'firstName'   => $user->first_name,\n        'lastName'    => $user->last_name,\n        'displayName' => $user->display_name,\n    ),\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the response of valid credential.\n *\n * @param array $response The default valid credential response.\n * @param WP_User $user The authenticated user.\n * .\n * @return array The valid credential response.\n *\u002F\nadd_filter(\n    'jwt_auth_valid_credential_response',\n    function ( $response, $user ) {\n        \u002F\u002F Modify the response here.\n        return $response;\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>jwt_auth_valid_token_response\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>jwt_auth_valid_token_response\u003C\u002Fstrong> allows you to modify the valid token response when validating a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n$response = array(\n    'success'    => true,\n    'statusCode' => 200,\n    'code'       => 'jwt_auth_valid_token',\n    'message'    => __( 'Token is valid', 'jwt-auth' ),\n    'data'       => array(),\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the response of valid token.\n *\n * @param array $response The default valid token response.\n * @param WP_User $user The authenticated user.\n * @param string $token The raw token.\n * @param array $payload The token data.\n * .\n * @return array The valid token response.\n *\u002F\nadd_filter(\n    'jwt_auth_valid_token_response',\n    function ( $response, $user, $token, $payload ) {\n        \u002F\u002F Modify the response here.\n        return $response;\n    },\n    10,\n    4\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>jwt_auth_extra_token_check\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>jwt_auth_extra_token_check\u003C\u002Fstrong> allows you to add extra criterias to validate the token. If empty, has no problem to proceed. Use empty value to bypass the filter. Any other value will block the token access and returns response with code \u003Ccode>jwt_auth_obsolete_token\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>''\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the validation of token. No-empty values block token validation.\n *\n * @param array $response An empty value ''.\n * @param WP_User $user The authenticated user.\n * @param string $token The raw token.\n * @param array $payload The token data.\n * .\n * @return array The valid token response.\n *\u002F\nadd_filter(\n    'jwt_auth_extra_token_check',\n    function ( $response, $user, $token, $payload ) {\n        \u002F\u002F Modify the response here.\n        return $response;\n    },\n    10,\n    4\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffirebase\u002Fphp-jwt\" rel=\"nofollow ugc\">PHP-JWT from firebase\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjwt-authentication-for-wp-rest-api\u002F\" rel=\"ugc\">JWT Authentication for WP REST API\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fpesseba\" rel=\"nofollow ugc\">Devices utility by pesseba\u003C\u002Fa>\u003Cbr \u002F>\nThe \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fcollaborators\" rel=\"nofollow ugc\">awesome maintainers\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fgraphs\u002Fcontributors\" rel=\"nofollow ugc\">contributors\u003C\u002Fa>\u003C\u002Fp>\n","Create JSON Web Token Authentication in WordPress.",6000,109875,22,"2024-05-07T21:38:00.000Z","6.5.8","5.2",[111,20,97,112],"json-web-token","token-authentication","https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-auth.zip",83,"2022-11-11 00:00:00",{"slug":118,"name":119,"version":120,"author":121,"author_profile":122,"description":123,"short_description":124,"active_installs":104,"downloaded":125,"rating":126,"num_ratings":127,"last_updated":128,"tested_up_to":49,"requires_at_least":87,"requires_php":129,"tags":130,"homepage":17,"download_link":133,"security_score":73,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"login-with-google","Log in with Google","1.4.2","rtCamp","https:\u002F\u002Fprofiles.wordpress.org\u002Frtcamp\u002F","\u003Cp>Ultra minimal plugin to let your users login to WordPress applications using their Google accounts. No more remembering hefty passwords!\u003C\u002Fp>\n\u003Ch3>Initial Setup\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\n\u003Cp>Create a project from \u003Ca href=\"https:\u002F\u002Fconsole.developers.google.com\u002Fapis\u002Fdashboard\" rel=\"nofollow ugc\">Google Developers Console\u003C\u002Fa> if none exists.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Go to \u003Cstrong>Credentials\u003C\u002Fstrong> tab, then create credential for OAuth client.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Application type will be \u003Cstrong>Web Application\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Add \u003Ccode>YOUR_DOMAIN\u002Fwp-login.php\u003C\u002Fcode> in \u003Cstrong>Authorized redirect URIs\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>This will give you \u003Cstrong>Client ID\u003C\u002Fstrong> and \u003Cstrong>Secret key\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Input these values either in \u003Ccode>WP Admin > Settings > WP Google Login\u003C\u002Fcode>, or in \u003Ccode>wp-config.php\u003C\u002Fcode> using the following code snippet:\u003C\u002Fp>\n\u003Cp>\u003Ccode>define( 'WP_GOOGLE_LOGIN_CLIENT_ID', 'YOUR_GOOGLE_CLIENT_ID' );\u003Cbr \u002F>\ndefine( 'WP_GOOGLE_LOGIN_SECRET', 'YOUR_SECRET_KEY' );\u003C\u002Fcode>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Browser support\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fdevelopers.google.com\u002Fidentity\u002Fgsi\u002Fweb\u002Fguides\u002Fsupported-browsers\" rel=\"nofollow ugc\">These browsers are supported\u003C\u002Fa>. Note, for example, that One Tap Login is not supported in Safari.\u003C\u002Fp>\n\u003Ch3>How to enable automatic user registration\u003C\u002Fh3>\n\u003Cp>You can enable user registration either by\u003Cbr \u002F>\n– Enabling \u003Cem>Settings > WP Google Login > Enable Google Login Registration\u003C\u002Fem>\u003C\u002Fp>\n\u003Cp>OR\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Adding\u003Cbr \u002F>\n\u003Ccode>define( 'WP_GOOGLE_LOGIN_USER_REGISTRATION', 'true' );\u003C\u002Fcode>\u003Cbr \u002F>\nin wp-config.php file.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Note:\u003C\u002Fstrong> If the checkbox is ON then, it will register valid Google users even when WordPress default setting, under\u003C\u002Fp>\n\u003Cp>\u003Cem>Settings > General Settings > Membership > Anyone can register\u003C\u002Fem> checkbox\u003C\u002Fp>\n\u003Cp>is OFF.\u003C\u002Fp>\n\u003Ch3>Restrict user registration to one or more domain(s)\u003C\u002Fh3>\n\u003Cp>By default, when you enable user registration via constant \u003Ccode>WP_GOOGLE_LOGIN_USER_REGISTRATION\u003C\u002Fcode> or enable \u003Cem>Settings > WP Google Login > Enable Google Login Registration\u003C\u002Fem>, it will create a user for any Google login (including gmail.com users). If you are planning to use this plugin on a private, internal site, then you may like to restrict user registration to users under a single Google Suite organization. This configuration variable does that.\u003C\u002Fp>\n\u003Cp>Add your domain name, without any schema prefix and \u003Ccode>www,\u003C\u002Fcode> as the value of \u003Ccode>WP_GOOGLE_LOGIN_WHITELIST_DOMAINS\u003C\u002Fcode> constant or in the settings \u003Ccode>Settings > WP Google Login > Whitelisted Domains\u003C\u002Fcode>. You can whitelist multiple domains. Please separate domains with commas. See the below example to know how to do it via constants:\u003Cbr \u002F>\n    \u003Ccode>define( 'WP_GOOGLE_LOGIN_WHITELIST_DOMAINS', 'example.com,sample.com' );\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note:\u003C\u002Fstrong> If a user already exists, they \u003Cstrong>will be allowed to login with Google\u003C\u002Fstrong> regardless of whether their domain is whitelisted or not. Whitelisting will only prevent users from \u003Cstrong>registering\u003C\u002Fstrong> with email addresses from non-whitelisted domains.\u003C\u002Fp>\n\u003Ch3>Hooks\u003C\u002Fh3>\n\u003Cp>For a list of all hooks please refer to \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FrtCamp\u002Flogin-with-google#hooks\" rel=\"nofollow ugc\">this documentation\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>wp-config.php parameters list\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Ccode>WP_GOOGLE_LOGIN_CLIENT_ID\u003C\u002Fcode> (string): Google client ID of your application.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ccode>WP_GOOGLE_LOGIN_SECRET\u003C\u002Fcode> (string): Secret key of your application\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ccode>WP_GOOGLE_LOGIN_USER_REGISTRATION\u003C\u002Fcode> (boolean) (optional): Set \u003Ccode>true\u003C\u002Fcode> If you want to enable new user registration. By default, user registration defers to \u003Ccode>Settings > General Settings > Membership\u003C\u002Fcode> if constant is not set.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ccode>WP_GOOGLE_LOGIN_WHITELIST_DOMAINS\u003C\u002Fcode> (string) (optional): Domain names, if you want to restrict login with your custom domain. By default, it will allow all domains. You can whitelist multiple domains.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>BTW, We’re Hiring!\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Frtcamp.com\u002Fcareers\u002F\" rel=\"nofollow ugc\">\u003C\u002Fa>\u003C\u002Fp>\n","Minimal plugin that allows WordPress users to log in using Google.",120101,90,15,"2026-02-20T14:59:00.000Z","7.4",[19,131,91,132,22],"google-login","sign-in","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-with-google.1.4.2.zip",{"attackSurface":135,"codeSignals":167,"taintFlows":182,"riskAssessment":183,"analyzedAt":190},{"hooks":136,"ajaxHandlers":156,"restRoutes":157,"shortcodes":165,"cronEvents":166,"entryPointCount":94,"unprotectedCount":94},[137,143,148,152],{"type":138,"name":139,"callback":140,"file":141,"line":142},"action","rest_api_init","closure","auth.php",13,{"type":144,"name":145,"callback":146,"file":141,"line":147},"filter","login_message","the_login_message",97,{"type":138,"name":149,"callback":150,"file":151,"line":127},"admin_menu","ja_add_admin_menu","settings.php",{"type":138,"name":153,"callback":154,"file":151,"line":155},"admin_init","ja_settings_init",16,[],[158],{"namespace":159,"route":160,"methods":161,"callback":163,"permissionCallback":27,"file":141,"line":164},"jwt-auth\u002Fv1","callback",[162],"POST","ja_login",14,[],[],{"dangerousFunctions":168,"sqlUsage":169,"outputEscaping":171,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":181},[],{"prepared":13,"raw":13,"locations":170},[],{"escaped":172,"rawEcho":173,"locations":174},24,3,[175,178,180],{"file":151,"line":176,"context":177},32,"raw output",{"file":151,"line":179,"context":177},275,{"file":151,"line":179,"context":177},[],[],{"summary":184,"deductions":185},"The \"jwt-authenticator\" plugin v1.0 exhibits a mixed security posture.  A significant concern is the presence of a REST API route that lacks any permission callback, creating a direct and unprotected entry point into the WordPress application.  While the static analysis shows no dangerous functions, 100% prepared SQL statements, and high output escaping, the absence of capability checks on the identified REST API route is a critical oversight.  The plugin's vulnerability history is clean, with no known CVEs, which is a positive indicator of general stability.  However, this lack of historical vulnerabilities should not overshadow the immediate risk posed by the unprotected REST API endpoint, which could potentially be exploited by unauthenticated attackers.",[186,188],{"reason":187,"points":127},"Unprotected REST API route",{"reason":189,"points":11},"Missing capability checks on entry points","2026-03-16T23:57:25.195Z",{"wat":192,"direct":197},{"assetPaths":193,"generatorPatterns":194,"scriptPaths":195,"versionParams":196},[],[],[],[],{"cssClasses":198,"htmlComments":199,"htmlAttributes":200,"restEndpoints":201,"jsGlobals":203,"shortcodeOutput":204},[],[],[],[202],"\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Fcallback",[],[],{"error":206,"url":207,"statusCode":208,"statusMessage":209,"message":209},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fjwt-authenticator\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":13,"versions":211},[]]