[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhAaazVmgaM0PktBy9qzPfoK2-tGv3c5lKt4z6phDigo":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":22,"download_link":23,"security_score":24,"vuln_count":11,"unpatched_count":11,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":28,"crawl_stats":25,"alternatives":34,"analysis":129,"fingerprints":370},"pkl-wpz-rest-api-auth","PKL WPz REST API Authentication","1.1.0","Kittinan Lamkaek","https:\u002F\u002Fprofiles.wordpress.org\u002Fkittlam\u002F","\u003Cp>PKL WPz REST API Authentication provides a simple way to authenticate WordPress REST API requests using API keys. Users can generate their own API keys from their profile page and use them to make authenticated API requests.\u003C\u002Fp>\n\u003Cp>Features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>User-friendly API key generation from profile page\u003C\u002Fli>\n\u003Cli>Secure API key storage with WordPress security standards\u003C\u002Fli>\n\u003Cli>Easy integration with WordPress REST API\u003C\u002Fli>\n\u003Cli>Support for Bearer token authentication\u003C\u002Fli>\n\u003Cli>API key revocation capability\u003C\u002Fli>\n\u003Cli>Admin can manage all users’ API keys\u003C\u002Fli>\n\u003Cli>Multiple authentication methods (Bearer Token, X-API-Key Header, Form-data, Query Parameter)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Developer Documentation\u003C\u002Fh3>\n\u003Cp>For detailed API documentation and examples, visit the plugin settings page in your WordPress admin.\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support and feature requests, please visit our GitHub repository \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FPalmiizKittinan\" rel=\"nofollow ugc\">@PalmiizKittinan\u003C\u002Fa> .\u003C\u002Fp>\n","Control WordPress REST API access by requiring user authentication with API key system.",0,194,"2025-10-04T08:48:00.000Z","6.8.5","5.0","7.4",[18,19,20,21],"api-key","authentication","rest-api","security","https:\u002F\u002Fgithub.com\u002FPalmiizKittinan\u002Fpkl-wpz-rest-api-auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpkl-wpz-rest-api-auth.1.1.0.zip",100,null,"2026-03-15T15:16:48.613Z",[],{"slug":29,"display_name":7,"profile_url":8,"plugin_count":30,"total_installs":11,"avg_security_score":24,"avg_patch_time_days":31,"trust_score":32,"computed_at":33},"kittlam",1,30,94,"2026-04-04T05:55:39.991Z",[35,54,79,97,113],{"slug":36,"name":37,"version":38,"author":39,"author_profile":40,"description":41,"short_description":42,"active_installs":43,"downloaded":44,"rating":11,"num_ratings":11,"last_updated":45,"tested_up_to":46,"requires_at_least":15,"requires_php":47,"tags":48,"homepage":51,"download_link":52,"security_score":53,"vuln_count":11,"unpatched_count":11,"last_vuln_date":25,"fetched_at":26},"rest-api-key-authentication","WP REST API Key Authentication","1.0","Kamal Hosen","https:\u002F\u002Fprofiles.wordpress.org\u002Fikamal\u002F","\u003Cp>\u003Cstrong>WP REST API Key Authentication\u003C\u002Fstrong> adds a simple API key-based authentication method to the WordPress REST API. This plugin is perfect for developers who want to interact with the REST API securely without relying on complex OAuth authentication mechanisms.\u003C\u002Fp>\n\u003Ch3>Key Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Multiple API Keys\u003C\u002Fstrong>: Create and manage multiple API keys with custom names.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secure API Key Storage\u003C\u002Fstrong>: API keys are hashed and securely stored in the WordPress database.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Single Display for Security\u003C\u002Fstrong>: API keys are shown only once after creation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>REST API Access Control\u003C\u002Fstrong>: Authenticate requests by including an API key in the \u003Ccode>Authorization\u003C\u002Fcode> header.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin Interface\u003C\u002Fstrong>: Manage API keys with a user-friendly admin page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Copy to Clipboard Popup\u003C\u002Fstrong>: Easily copy generated API keys with a built-in popup.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The plugin is lightweight and integrates seamlessly with WordPress.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\n\u003Cp>\u003Cstrong>Generate an API Key\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Go to \u003Cstrong>API Keys\u003C\u002Fstrong> in the WordPress admin menu.\u003C\u002Fli>\n\u003Cli>Enter a name for the API key and click “Generate API Key”.\u003C\u002Fli>\n\u003Cli>The API key will appear in a popup. Copy it immediately, as it will not be displayed again.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Use the API Key\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Include the API key in the \u003Ccode>Authorization\u003C\u002Fcode> header of your REST API requests:\u003Cbr \u002F>\n \u003Ccode>Authorization: Bearer YOUR_API_KEY\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Delete API Keys\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>To revoke access, delete an API key from the \u003Cstrong>API Keys\u003C\u002Fstrong> admin page.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2 or later. See the License URI for details.\u003C\u002Fp>\n","A simple plugin to add API key-based authentication to the WordPress REST API. Manage multiple API keys and secure your REST API endpoints.",20,952,"2025-01-16T09:18:00.000Z","6.7.5","7.2",[49,50,18,20,21],"access-control","api-authentication","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frest-api-key-authentication.1.0.zip",92,{"slug":55,"name":56,"version":57,"author":58,"author_profile":59,"description":60,"short_description":61,"active_installs":62,"downloaded":63,"rating":64,"num_ratings":65,"last_updated":66,"tested_up_to":67,"requires_at_least":68,"requires_php":69,"tags":70,"homepage":74,"download_link":75,"security_score":76,"vuln_count":77,"unpatched_count":11,"last_vuln_date":78,"fetched_at":26},"wp-rest-api-authentication","JWT Authentication for WP REST APIs","4.3.0","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cp>\u003Cstrong>WordPress REST API endpoints\u003C\u002Fstrong> are \u003Cstrong>open and unsecured by default\u003C\u002Fstrong> which can be used to access your site data. Secure WordPress APIs from unauthorized users with our \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication\" rel=\"nofollow ugc\">JWT Authentication for WP REST APIs plugin\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Our plugin offers below authentication methods to \u003Cstrong>Protect WP REST API endpoints\u003C\u002Fstrong>:\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– External Token based Authentication 2.0\u002FOIDC\u002FJWT\u002F\u003Ca href=\"https:\u002F\u002Ffirebase.google.com\u002Fdocs\u002Fauth\u002Fadmin\u002Fcreate-custom-tokens\" rel=\"nofollow ugc\">Firebase\u003C\u002Fa> provider’s token authentication methods.\u003C\u002Fp>\n\u003Cp>You can authenticate default WordPress endpoints and custom-developed REST endpoints and third-party plugin REST API endpoints like that of \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwoocommerce\u002F\" rel=\"ugc\">Woocommerce\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.learndash.com\u002F\" rel=\"nofollow ugc\">Learndash\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbuddypress\u002F\" rel=\"ugc\">Buddypress\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.gravityforms.com\u002F\" rel=\"nofollow ugc\">Gravity Forms\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcart-rest-api-for-woocommerce\u002F\" rel=\"ugc\">CoCart\u003C\u002Fa>, etc.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FIsyKI7eEV-I?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&start=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch3>WP REST API Authentication Methods in our plugin\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method#step_a1\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\nProvides an endpoint where you can pass the user credentials, and it will generate a JWT (JSON Web Token), which you can use to access the WordPress REST APIs accordingly.\u003Cbr \u002F>\nAdditionally, to maintain a seamless user experience without frequent logins needed due to token expiry, you can use our \u003Cem>Refresh and Revoke token\u003C\u002Fem> mechanisms feature.\u003Cbr \u002F>\nWhen the access token expires, instead of forcing the user to log in again, the client can request a new access token using a valid refresh token.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method#step_a\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>:\u003Cbr \u002F>\n        – 1. \u003Cstrong>Username: Password\u003C\u002Fstrong>\u003Cbr \u002F>\n        – 2. \u003Cstrong>Client-ID: Client-Secret\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method#step_a\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n        – 1. \u003Cstrong>Password Grant\u003C\u002Fstrong>\u003Cbr \u002F>\n            – 2. \u003Cstrong>Client Credentials Grant\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication-using-third-party-provider#step_a\" rel=\"nofollow ugc\">Third Party Provider Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Following are some of the integrations that are possible with WP REST API Authentication:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Learndash API Authentication\u003C\u002Fli>\n\u003Cli>Custom Built REST API Endpoints Authentication\u003C\u002Fli>\n\u003Cli>BuddyPress API Authentication\u003C\u002Fli>\n\u003Cli>WooCommerce API Authentication\u003C\u002Fli>\n\u003Cli>Gravity Form API Authentication\u003C\u002Fli>\n\u003Cli>External\u002FThird-party plugin API endpoints integration in WordPress\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can also disable the WP REST APIs with our plugin such that no one can make API calls to your WordPress REST API endpoints.Our plugin also provides \u003Cstrong>Refresh and Revoke Token\u003C\u002Fstrong> that can be used to improve the API security.\u003C\u002Fp>\n\u003Ch3>Benefits of Refresh Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Enhances security by keeping access tokens short-lived.\u003C\u002Fli>\n\u003Cli>Improves user experience with uninterrupted sessions.\u003C\u002Fli>\n\u003Cli>Reduces login frequency.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Benefits of Revoke Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Protects against token misuse if a device is lost or compromised.\u003C\u002Fli>\n\u003Cli>Enables admin-triggered logouts or session control.\u003C\u002Fli>\n\u003Cli>Useful for complying with stricter session policies.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>With this plugin, the user is allowed to access your site’s resources only after successful WP REST API authentication. JWT Authentication for WP REST APIs plugin will make your \u003Cstrong>WordPress endpoints secure from unauthorized access.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Plugin Feature List\u003C\u002Fh3>\n\u003Ch3>FREE PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate only default core WordPress REST API endpoints.\u003C\u002Fli>\n\u003Cli>Basic Authentication with username and password.\u003C\u002Fli>\n\u003Cli>JWT Authentication (JSON Web Token Authentication).\u003C\u002Fli>\n\u003Cli>Enable Selective API protection.\u003C\u002Fli>\n\u003Cli>Restrict non-logged-in users to access REST API endpoints.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>PREMIUM PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate all REST API endpoints (Default WP, Custom APIs,Third-Party plugins)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>JWT Token Authentication\u003C\u002Fstrong> (JSON Web Token Authentication)\u003C\u002Fli>\n\u003Cli>Login, Refresh and Revoke token endpoints for token management\u003C\u002Fli>\n\u003Cli>API Key Authentication\u003C\u002Fli>\n\u003Cli>Basic Authentication (username\u002Fpassword and email\u002Fpassword)\u003C\u002Fli>\n\u003Cli>OAuth 2.0 Authentication\u003C\u002Fli>\n\u003Cli>Universal API key and User-specific API key for authentication\u003C\u002Fli>\n\u003Cli>Selective API protection.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003Cli>Time-based token expiry\u003C\u002Fli>\n\u003Cli>Role-based WP REST API authentication\u003C\u002Fli>\n\u003Cli>Custom Header support rather than just \u003Cem>Authorization\u003C\u002Fem> to increase security.\u003C\u002Fli>\n\u003Cli>Create users in WordPress based on third-party provider access tokens (JWT tokens) authentication.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin does not store any user data.\u003C\u002Fp>\n","Secure and protect WordPress REST API from unauthorized access using JWT token, Basic Authentication, API Key, OAuth 2, or external token.",20000,490496,88,73,"2026-02-09T05:11:00.000Z","6.9.4","3.0.1","5.6",[18,71,72,20,73],"jwt-authentication","rest","secure-api","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-rest-api-authentication","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rest-api-authentication.4.3.0.zip",97,2,"2025-04-16 00:00:00",{"slug":80,"name":81,"version":82,"author":83,"author_profile":84,"description":85,"short_description":86,"active_installs":87,"downloaded":88,"rating":11,"num_ratings":11,"last_updated":89,"tested_up_to":67,"requires_at_least":90,"requires_php":16,"tags":91,"homepage":95,"download_link":96,"security_score":24,"vuln_count":11,"unpatched_count":11,"last_vuln_date":25,"fetched_at":26},"ghostgate","GhostGate","1.3.3","codegee0958","https:\u002F\u002Fprofiles.wordpress.org\u002Fcodegee0958\u002F","\u003Cp>\u003Cstrong>GhostGate\u003C\u002Fstrong> is a lightweight yet powerful WordPress security plugin that eliminates the login page as an attack surface. Instead of just defending, it \u003Cstrong>erases the entrance\u003C\u002Fstrong> entirely with dynamic login URLs and multi-layer access verification.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>🔒 Hide your login URL with a custom slug and time-based code\u003C\u002Fli>\n\u003Cli>🔑 Built-in 2FA via email verification\u003C\u002Fli>\n\u003Cli>🚫 Auto-block brute force attacks by IP\u003C\u002Fli>\n\u003Cli>🧱 Disable\u002Flimit unused endpoints like XML-RPC and REST API\u003C\u002Fli>\n\u003Cli>👤 Prevent user enumeration via REST, RSS, and author queries\u003C\u002Fli>\n\u003Cli>🔍 Visualize security status and detect conflicts\u003C\u002Fli>\n\u003Cli>📜 Activity logs with optional file rotation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>GhostGate doesn’t just defend — it disappears.\u003Cbr \u002F>\nInvisible to bots. Intuitive for users.\u003C\u002Fp>\n\u003Cp>👉 \u003Cstrong>Full features \u002F screenshots \u002F pricing \u002F docs\u003C\u002Fstrong>:\u003Cbr \u002F>\nhttps:\u002F\u002Farce-experience.com\u002Fproduct\u002F\u003C\u002Fp>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>GhostGate can store the following data locally on your site to provide rate-limiting and security auditing:\u003Cbr \u002F>\n– IP addresses (for temporary throttling \u002F block lists)\u003Cbr \u002F>\n– Timestamps and event metadata (login attempts, REST\u002FXML-RPC hits)\u003Cbr \u002F>\n– Optional log files under \u003Ccode>wp-content\u002Fuploads\u002Fghostgate\u002Flogs\u003C\u002Fcode> (if enabled)\u003C\u002Fp>\n\u003Cp>No data is sent to third-party services.\u003Cbr \u002F>\nSite owners are responsible for informing users\u002Fvisitors where required by local laws. You can clear blocks\u002Flogs from the admin UI or by deleting the log files.\u003C\u002Fp>\n","Invisible, intelligent protection for WordPress. GhostGate hides your login page, blocks bots, and turns your site into a ghost fortress.",10,405,"2026-01-21T00:06:00.000Z","5.8",[92,20,21,93,94],"limit-login-attempts","two-factor-authentication","xml-rpc","https:\u002F\u002Farce-experience.com\u002Fproduct\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fghostgate.1.3.3.zip",{"slug":98,"name":99,"version":100,"author":101,"author_profile":102,"description":103,"short_description":104,"active_installs":87,"downloaded":105,"rating":11,"num_ratings":11,"last_updated":106,"tested_up_to":67,"requires_at_least":107,"requires_php":108,"tags":109,"homepage":111,"download_link":112,"security_score":24,"vuln_count":11,"unpatched_count":11,"last_vuln_date":25,"fetched_at":26},"keys-master","Keys Master","2.4.0","Pierre Lannoy","https:\u002F\u002Fprofiles.wordpress.org\u002Fpierrelannoy\u002F","\u003Cp>\u003Cstrong>Keys Master\u003C\u002Fstrong> is a powerful application passwords manager for WordPress with role-based usage control and full analytics reporting about passwords usages. It relies on the “application password” core feature introduced in WordPress 5.6. and add it extra features and controls.\u003C\u002Fp>\n\u003Cp>You can limit usage of application passwords, on a per role basis:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>maximum passwords per user;\u003C\u002Fli>\n\u003Cli>specific usage: none (blocks usage), only authentication and revocation or full management (with password creation).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For each roles defined on your site, you can define a period during which a password can be unused before auto-revocation.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Keys Master\u003C\u002Fstrong> can report the following main items and metrics:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>KPIs: authentication success, number, creations and revocations of passwords, adoption and usage rate;\u003C\u002Fli>\n\u003Cli>channels breakdown;\u003C\u002Fli>\n\u003Cli>clients breakdown (requires the free \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fdevice-detector\u002F\" rel=\"ugc\">Device Detector\u003C\u002Fa> plugin);\u003C\u002Fli>\n\u003Cli>countries breakdown (requires the free \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fip-locator\u002F\" rel=\"ugc\">IP Locator\u003C\u002Fa> plugin);\u003C\u002Fli>\n\u003Cli>site breakdowns in multisites environments.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Keys Master\u003C\u002Fstrong> supports a set of WP-CLI commands to:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>manage WordPress application passwords (list, create and revoke) – see \u003Ccode>wp help apwd password\u003C\u002Fcode> for details;\u003C\u002Fli>\n\u003Cli>toggle on\u002Foff main settings – see \u003Ccode>wp help apwd settings\u003C\u002Fcode> for details;\u003C\u002Fli>\n\u003Cli>modify operations mode – see \u003Ccode>wp help apwd mode\u003C\u002Fcode> for details;\u003C\u002Fli>\n\u003Cli>display passwords statistics – see \u003Ccode>wp help apwd analytics\u003C\u002Fcode> for details.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For a full help on WP-CLI commands in Keys Master, please \u003Ca href=\"https:\u002F\u002Fperfops.one\u002Fkeys-master-wpcli\" rel=\"nofollow ugc\">read this guide\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>\u003Cstrong>Keys Master\u003C\u002Fstrong> is part of \u003Ca href=\"https:\u002F\u002Fperfops.one\u002F\" rel=\"nofollow ugc\">PerfOps One\u003C\u002Fa>, a suite of free and open source WordPress plugins dedicated to observability and operations performance.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>\u003Cstrong>Keys Master\u003C\u002Fstrong> is a free and open source plugin for WordPress. It integrates many other free and open source works (as-is or modified). Please, see ‘about’ tab in the plugin settings to see the details.\u003C\u002Fp>\n\u003Ch4>Support\u003C\u002Fh4>\n\u003Cp>This plugin is free and provided without warranty of any kind. Use it at your own risk, I’m not responsible for any improper use of this plugin, nor for any damage it might cause to your site. Always backup all your data before installing a new plugin.\u003C\u002Fp>\n\u003Cp>Anyway, I’ll be glad to help you if you encounter issues when using this plugin. Just use the support section of this plugin page.\u003C\u002Fp>\n\u003Ch4>Privacy\u003C\u002Fh4>\n\u003Cp>This plugin, as any piece of software, is neither compliant nor non-compliant with privacy laws and regulations. It is your responsibility to use it – by activating the corresponding options or services – with respect for the personal data of your users and applicable laws.\u003C\u002Fp>\n\u003Cp>This plugin doesn’t set any cookie in the user’s browser.\u003C\u002Fp>\n\u003Cp>This plugin doesn’t handle personally identifiable information (PII).\u003C\u002Fp>\n\u003Ch4>Donation\u003C\u002Fh4>\n\u003Cp>If you like this plugin or find it useful and want to thank me for the work done, please consider making a donation to \u003Ca href=\"https:\u002F\u002Fwww.laquadrature.net\u002Fen\" rel=\"nofollow ugc\">La Quadrature Du Net\u003C\u002Fa> or the \u003Ca href=\"https:\u002F\u002Fwww.eff.org\u002F\" rel=\"nofollow ugc\">Electronic Frontier Foundation\u003C\u002Fa> which are advocacy groups defending the rights and freedoms of citizens on the Internet. By supporting them, you help the daily actions they perform to defend our fundamental freedoms!\u003C\u002Fp>\n","Powerful application passwords manager for WordPress with role-based usage control and full analytics reporting capabilities.",5961,"2025-11-22T11:42:00.000Z","6.2","8.1",[110,19,20,21,94],"application-password","https:\u002F\u002Fperfops.one\u002Fkeys-master","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkeys-master.2.4.0.zip",{"slug":114,"name":115,"version":116,"author":117,"author_profile":118,"description":119,"short_description":120,"active_installs":11,"downloaded":121,"rating":11,"num_ratings":11,"last_updated":122,"tested_up_to":67,"requires_at_least":123,"requires_php":124,"tags":125,"homepage":51,"download_link":128,"security_score":24,"vuln_count":11,"unpatched_count":11,"last_vuln_date":25,"fetched_at":26},"headlesskey-jwt-auth","HeadlessKey – JWT Auth","1.0.0","Hidayat Mahetar","https:\u002F\u002Fprofiles.wordpress.org\u002Fhidayatsafewp\u002F","\u003Cp>\u003Cstrong>HeadlessKey – JWT Auth\u003C\u002Fstrong> extends the REST API to provide a robust and secure authentication system using JSON Web Tokens (JWT). Designed for Headless WordPress, it enables seamless user authentication, registration, and session management via standard REST endpoints.\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication\u003C\u002Fstrong>: Secure user authentication using industry-standard RFC 7519 tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Algorithms\u003C\u002Fstrong>: Support for \u003Ccode>HS256\u003C\u002Fcode>, \u003Ccode>RS256\u003C\u002Fcode>, and \u003Ccode>ES256\u003C\u002Fcode> signing algorithms.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Comprehensive Endpoints\u003C\u002Fstrong>: Ready-to-use endpoints for Login, Register, Token Refresh, and Password Management.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Single Sign-On (SSO)\u003C\u002Fstrong>: Connect multiple sites with a secure, headers-based SSO exchange mechanism.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role-Based Access Control (RBAC)\u003C\u002Fstrong>: Configure public or authenticated access for every endpoint.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Brute Force Protection\u003C\u002Fstrong>: Protects against attacks by locking users\u002FIPs after failed attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Activity Logs\u003C\u002Fstrong>: Detailed audit trail of all authentication events, including IP and device data.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Webhooks\u003C\u002Fstrong>: Real-time JSON events sent to your external services for monitoring key actions.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Device Limits\u003C\u002Fstrong>: Restrict the number of active devices\u002Fsessions per user.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Friendly\u003C\u002Fstrong>: Extensive hooks and filters for deep customization.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Ch3>Secret Key\u003C\u002Fh3>\n\u003Cp>The plugin uses a secret key to sign tokens. By default, a secure random key is generated. For better security and consistency across environments, define your key in \u003Ccode>wp-config.php\u003C\u002Fcode>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_SECRET_KEY', 'your-long-random-secure-string');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a strong salt here: \u003Ca href=\"https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\" rel=\"nofollow ugc\">WordPress Salt Generator\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>CORS Support\u003C\u002Fh3>\n\u003Cp>Cross-Origin Resource Sharing (CORS) is enabled by default to allow frontend applications to connect. To disable or customize it via constant:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_CORS', true); \u002F\u002F or false to disable\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST API Namespace\u003C\u002Fh3>\n\u003Cp>By default, endpoints are under \u003Ccode>wp-json\u002Fwpauthapi\u002Fv1\u003C\u002Fcode>. You can customize this namespace:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_REST_NAMESPACE', 'my-custom-auth');\ndefine('headlesskey_REST_VERSION', 'v2');\u003Ch3>Endpoints\u003C\u002Fh3>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The plugin adds the following endpoints under the \u003Ccode>\u002Fwp-json\u002Fheadlesskey\u002Fv1\u003C\u002Fcode> namespace:\u003C\u002Fp>\n\u003Cp>  Endpoint\u003Cbr \u002F>\n  HTTP Verb\u003Cbr \u002F>\n  Description\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Login\u003C\u002Fstrong>: Exchange username\u002Fpassword for a JWT.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Validate\u003C\u002Fstrong>: Check if a token validity.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Frefresh\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Refresh\u003C\u002Fstrong>: Exchange a valid token for a new one (rotation).\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Frevoke\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Logout\u003C\u002Fstrong>: Invalidate a specific token.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fregister\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Register\u003C\u002Fstrong>: Create a new user account.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Flogin\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Profile\u003C\u002Fstrong>: Login and get full user profile data in one request.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fforgot-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Recover\u003C\u002Fstrong>: Request a password reset via Link or OTP.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Freset-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Reset\u003C\u002Fstrong>: Set a new password using a token or OTP.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fchange-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Update\u003C\u002Fstrong>: Change password for authenticated user.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fsso\u002Fexchange\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>SSO\u003C\u002Fstrong>: Exchange a remote site token for a local session.\u003C\u002Fp>\n\u003Ch3>1. Login (Generate Token)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Authenticate a user and generate a JWT token.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"admin\",\u003Cbr \u002F>\n  \"password\": \"secret-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T10:00:00+00:00\",\u003Cbr \u002F>\n  \"expires_in\": 3600,\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\",\u003Cbr \u002F>\n    \"user_email\": \"admin@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"Administrator\",\u003Cbr \u002F>\n    \"roles\": [\"administrator\"]\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"refreshable\": true,\u003Cbr \u002F>\n  \"jti\": \"545086b9-450f-488b-a70d-3047d14d1101\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>2. Validate Token\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Validate if an existing token is valid.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"valid\": true,\u003Cbr \u002F>\n  \"data\": {\u003Cbr \u002F>\n    \"iss\": \"https:\u002F\u002Fexample.com\",\u003Cbr \u002F>\n    \"iat\": 1698393600,\u003Cbr \u002F>\n    \"exp\": 1698397200,\u003Cbr \u002F>\n    \"data\": {\u003Cbr \u002F>\n      \"ID\": 1,\u003Cbr \u002F>\n      \"user_login\": \"admin\"\u003Cbr \u002F>\n    }\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>3. Refresh Token\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Frefresh\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Rotate an expiring token for a fresh one.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.new...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T11:00:00+00:00\",\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\"\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"jti\": \"new-uuid-v4\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>4. Revoke Token (Logout)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Frevoke\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Invalidate a token immediately.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Token revoked successfully.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>5. Register User\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fregister\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Create a new user account.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"johndoe\",\u003Cbr \u002F>\n  \"email\": \"john@example.com\",\u003Cbr \u002F>\n  \"password\": \"secure-password\",\u003Cbr \u002F>\n  \"name\": \"John Doe\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"user_id\": 45,\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 45,\u003Cbr \u002F>\n    \"user_login\": \"johndoe\",\u003Cbr \u002F>\n    \"user_email\": \"john@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"John Doe\",\u003Cbr \u002F>\n    \"roles\": [\"subscriber\"]\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"token_response\": {\u003Cbr \u002F>\n    \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOi...\",\u003Cbr \u002F>\n    \"expiration\": \"2023-10-27T10:00:00+00:00\"\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>6. User Profile (Login Extended)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Flogin\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Alternative login endpoint that returns cleaner profile structure.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"admin\",\u003Cbr \u002F>\n  \"password\": \"secret-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T10:00:00+00:00\",\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\",\u003Cbr \u002F>\n    \"user_email\": \"admin@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"Administrator\",\u003Cbr \u002F>\n    \"roles\": [\"administrator\"]\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>7. Forgot Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fforgot-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Initiate password recovery. Note: \u003Ccode>delivery\u003C\u002Fcode> can be \u003Ccode>link\u003C\u002Fcode> or \u003Ccode>otp\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"login\": \"admin@example.com\",\u003Cbr \u002F>\n  \"delivery\": \"link\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password reset email sent.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>8. Reset Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Freset-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Reset password using the token sent via email or OTP.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request (Link method):\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"login\": \"admin@example.com\",\u003Cbr \u002F>\n  \"password\": \"new-secure-password\",\u003Cbr \u002F>\n  \"token\": \"generated-reset-key\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password updated successfully.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>9. Change Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fchange-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Change password for currently authenticated user. Requires \u003Ccode>Authorization\u003C\u002Fcode> header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Headers:\u003C\u002Fstrong>\u003Cbr \u002F>\n    Authorization: Bearer \u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"current_password\": \"old-password\",\u003Cbr \u002F>\n  \"new_password\": \"new-secure-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password changed successfully. Please login again.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>10. SSO Token Exchange\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fsso\u002Fexchange\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Securely exchange a token from a connected remote site for a local authentication session. This powers the distributed Single Sign-On network.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"site_key\": \"remote-site-id\",\u003Cbr \u002F>\n  \"token\": \"remote-jwt-token\",\u003Cbr \u002F>\n  \"signature\": \"hmac-sha256-signature\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\nReturns a standard \u003Cstrong>Login\u003C\u002Fstrong> response (Token + User Data) if the signature is valid.\u003C\u002Fp>\n","A complete authentication solution for Headless WordPress applications using JWT, supporting Registration, SSO, RBAC, and advanced Security features.",133,"2026-02-08T10:59:00.000Z","6.0","8.0",[19,126,127,20,21],"headless","jwt","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fheadlesskey-jwt-auth.1.0.0.zip",{"attackSurface":130,"codeSignals":186,"taintFlows":221,"riskAssessment":366,"analyzedAt":369},{"hooks":131,"ajaxHandlers":174,"restRoutes":183,"shortcodes":184,"cronEvents":185,"entryPointCount":77,"unprotectedCount":11},[132,138,141,145,149,153,157,161,163,165,169],{"type":133,"name":134,"callback":135,"file":136,"line":137},"action","admin_menu","add_admin_menu","includes\\class-admin-page.php",29,{"type":133,"name":139,"callback":140,"file":136,"line":31},"admin_init","settings_init",{"type":133,"name":142,"callback":143,"file":136,"line":144},"admin_post_pklwpz_revoke_token","handle_revoke_token",31,{"type":133,"name":146,"callback":147,"file":136,"line":148},"admin_post_pklwpz_restore_token","handle_restore_token",32,{"type":133,"name":150,"callback":151,"file":136,"line":152},"admin_post_pklwpz_delete_token","handle_delete_token",33,{"type":133,"name":154,"callback":155,"file":136,"line":156},"admin_enqueue_scripts","enqueue_admin_assets",34,{"type":133,"name":158,"callback":159,"file":160,"line":137},"show_user_profile","add_api_key_fields","includes\\class-user-profile.php",{"type":133,"name":162,"callback":159,"file":160,"line":31},"edit_user_profile",{"type":133,"name":154,"callback":164,"file":160,"line":152},"enqueue_profile_scripts",{"type":133,"name":166,"callback":166,"file":167,"line":168},"init","pkl-wpz-rest-api-auth.php",102,{"type":170,"name":171,"callback":172,"file":167,"line":173},"filter","rest_authentication_errors","restrict_rest_api",132,[175,180],{"action":176,"nopriv":177,"callback":178,"hasNonce":179,"hasCapCheck":179,"file":160,"line":144},"pklwpz_generate_api_key",false,"ajax_generate_api_key",true,{"action":181,"nopriv":177,"callback":182,"hasNonce":179,"hasCapCheck":179,"file":160,"line":148},"pklwpz_revoke_api_key","ajax_revoke_api_key",[],[],[],{"dangerousFunctions":187,"sqlUsage":188,"outputEscaping":205,"fileOperations":11,"externalRequests":11,"nonceChecks":219,"capabilityChecks":87,"bundledLibraries":220},[],{"prepared":189,"raw":190,"locations":191},18,5,[192,196,199,201,203],{"file":193,"line":194,"context":195},"includes\\class-database.php",106,"$wpdb->get_results() with variable interpolation",{"file":193,"line":197,"context":198},116,"$wpdb->query() with variable interpolation",{"file":193,"line":200,"context":198},119,{"file":193,"line":202,"context":198},152,{"file":193,"line":204,"context":198},155,{"escaped":206,"rawEcho":190,"locations":207},59,[208,211,213,215,217],{"file":136,"line":209,"context":210},263,"raw output",{"file":136,"line":212,"context":210},407,{"file":136,"line":214,"context":210},413,{"file":160,"line":216,"context":210},197,{"file":160,"line":218,"context":210},203,6,[],[222,245,258,271,297,310,327,343,356],{"entryPoint":223,"graph":224,"unsanitizedCount":11,"severity":244},"handle_revoke_token (includes\\class-admin-page.php:121)",{"nodes":225,"edges":241},[226,231,235],{"id":227,"type":228,"label":229,"file":136,"line":230},"n0","source","$_POST",134,{"id":232,"type":233,"label":234,"file":136,"line":230},"n1","transform","→ revoke_token()",{"id":236,"type":237,"label":238,"file":193,"line":239,"wp_function":240},"n2","sink","get_row() [SQLi]",380,"get_row",[242,243],{"from":227,"to":232,"sanitized":177},{"from":232,"to":236,"sanitized":179},"low",{"entryPoint":246,"graph":247,"unsanitizedCount":11,"severity":244},"handle_restore_token (includes\\class-admin-page.php:152)",{"nodes":248,"edges":255},[249,251,253],{"id":227,"type":228,"label":229,"file":136,"line":250},165,{"id":232,"type":233,"label":252,"file":136,"line":250},"→ restore_token()",{"id":236,"type":237,"label":238,"file":193,"line":254,"wp_function":240},417,[256,257],{"from":227,"to":232,"sanitized":177},{"from":232,"to":236,"sanitized":179},{"entryPoint":259,"graph":260,"unsanitizedCount":11,"severity":244},"handle_delete_token (includes\\class-admin-page.php:183)",{"nodes":261,"edges":268},[262,264,266],{"id":227,"type":228,"label":229,"file":136,"line":263},196,{"id":232,"type":233,"label":265,"file":136,"line":263},"→ delete_token()",{"id":236,"type":237,"label":238,"file":193,"line":267,"wp_function":240},444,[269,270],{"from":227,"to":232,"sanitized":177},{"from":232,"to":236,"sanitized":179},{"entryPoint":272,"graph":273,"unsanitizedCount":11,"severity":244},"\u003Cclass-admin-page> (includes\\class-admin-page.php:0)",{"nodes":274,"edges":290},[275,276,277,278,280,282,284,286,288],{"id":227,"type":228,"label":229,"file":136,"line":230},{"id":232,"type":233,"label":234,"file":136,"line":230},{"id":236,"type":237,"label":238,"file":193,"line":239,"wp_function":240},{"id":279,"type":228,"label":229,"file":136,"line":250},"n3",{"id":281,"type":233,"label":252,"file":136,"line":250},"n4",{"id":283,"type":237,"label":238,"file":193,"line":254,"wp_function":240},"n5",{"id":285,"type":228,"label":229,"file":136,"line":263},"n6",{"id":287,"type":233,"label":265,"file":136,"line":263},"n7",{"id":289,"type":237,"label":238,"file":193,"line":267,"wp_function":240},"n8",[291,292,293,294,295,296],{"from":227,"to":232,"sanitized":177},{"from":232,"to":236,"sanitized":179},{"from":279,"to":281,"sanitized":177},{"from":281,"to":283,"sanitized":179},{"from":285,"to":287,"sanitized":177},{"from":287,"to":289,"sanitized":179},{"entryPoint":298,"graph":299,"unsanitizedCount":11,"severity":244},"ajax_generate_api_key (includes\\class-user-profile.php:269)",{"nodes":300,"edges":307},[301,303,305],{"id":227,"type":228,"label":229,"file":160,"line":302},283,{"id":232,"type":233,"label":304,"file":160,"line":302},"→ get_user_api_key()",{"id":236,"type":237,"label":238,"file":193,"line":306,"wp_function":240},318,[308,309],{"from":227,"to":232,"sanitized":177},{"from":232,"to":236,"sanitized":179},{"entryPoint":311,"graph":312,"unsanitizedCount":11,"severity":244},"ajax_revoke_api_key (includes\\class-user-profile.php:305)",{"nodes":313,"edges":322},[314,316,317,318,320,321],{"id":227,"type":228,"label":229,"file":160,"line":315},323,{"id":232,"type":233,"label":304,"file":160,"line":315},{"id":236,"type":237,"label":238,"file":193,"line":306,"wp_function":240},{"id":279,"type":228,"label":229,"file":160,"line":319},325,{"id":281,"type":233,"label":234,"file":160,"line":319},{"id":283,"type":237,"label":238,"file":193,"line":239,"wp_function":240},[323,324,325,326],{"from":227,"to":232,"sanitized":177},{"from":232,"to":236,"sanitized":179},{"from":279,"to":281,"sanitized":177},{"from":281,"to":283,"sanitized":179},{"entryPoint":328,"graph":329,"unsanitizedCount":11,"severity":244},"\u003Cclass-user-profile> (includes\\class-user-profile.php:0)",{"nodes":330,"edges":338},[331,333,334,335,336,337],{"id":227,"type":228,"label":332,"file":160,"line":302},"$_POST (x2)",{"id":232,"type":233,"label":304,"file":160,"line":302},{"id":236,"type":237,"label":238,"file":193,"line":306,"wp_function":240},{"id":279,"type":228,"label":229,"file":160,"line":319},{"id":281,"type":233,"label":234,"file":160,"line":319},{"id":283,"type":237,"label":238,"file":193,"line":239,"wp_function":240},[339,340,341,342],{"from":227,"to":232,"sanitized":177},{"from":232,"to":236,"sanitized":179},{"from":279,"to":281,"sanitized":177},{"from":281,"to":283,"sanitized":179},{"entryPoint":344,"graph":345,"unsanitizedCount":11,"severity":244},"check_api_key_auth (pkl-wpz-rest-api-auth.php:139)",{"nodes":346,"edges":353},[347,349,351],{"id":227,"type":228,"label":348,"file":167,"line":263},"$_GET",{"id":232,"type":233,"label":350,"file":167,"line":263},"→ get_user_by_token()",{"id":236,"type":237,"label":238,"file":193,"line":352,"wp_function":240},289,[354,355],{"from":227,"to":232,"sanitized":177},{"from":232,"to":236,"sanitized":179},{"entryPoint":357,"graph":358,"unsanitizedCount":11,"severity":244},"\u003Cpkl-wpz-rest-api-auth> (pkl-wpz-rest-api-auth.php:0)",{"nodes":359,"edges":363},[360,361,362],{"id":227,"type":228,"label":348,"file":167,"line":263},{"id":232,"type":233,"label":350,"file":167,"line":263},{"id":236,"type":237,"label":238,"file":193,"line":352,"wp_function":240},[364,365],{"from":227,"to":232,"sanitized":177},{"from":232,"to":236,"sanitized":179},{"summary":367,"deductions":368},"The \"pkl-wpz-rest-api-auth\" v1.1.0 plugin exhibits a generally strong security posture based on the provided static analysis.  The plugin has a limited attack surface with only two AJAX handlers, and crucially, none of these entry points appear to be unprotected. The code signals are also positive, with a high percentage of SQL queries using prepared statements and a very high rate of proper output escaping. The absence of dangerous functions, file operations, and external HTTP requests further bolsters its security. The plugin also demonstrates good security practices by incorporating a significant number of nonce and capability checks.\n\nThe taint analysis shows no critical or high severity flows with unsanitized paths, indicating a low risk of injection vulnerabilities originating from user-supplied data processed by the plugin. The vulnerability history is also empty, with no known CVEs, which is a very positive sign of the plugin's overall stability and security over time.  This suggests that the developers have a good understanding of secure coding practices and have likely maintained the plugin diligently.\n\nIn conclusion, the \"pkl-wpz-rest-api-auth\" plugin, v1.1.0, presents a very low security risk. Its strengths lie in its limited and authenticated attack surface, robust use of prepared statements and output escaping, and a clean vulnerability history. There are no evident weaknesses or specific risks identified in the static analysis or vulnerability data that would warrant significant concern.",[],"2026-03-17T06:24:41.402Z",{"wat":371,"direct":380},{"assetPaths":372,"generatorPatterns":375,"scriptPaths":376,"versionParams":377},[373,374],"\u002Fwp-content\u002Fplugins\u002Fpkl-wpz-rest-api-auth\u002Fassets\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fpkl-wpz-rest-api-auth\u002Fassets\u002Fjs\u002Fscript.js",[],[374],[378,379],"pkl-wpz-rest-api-auth\u002Fassets\u002Fcss\u002Fstyle.css?ver=","pkl-wpz-rest-api-auth\u002Fassets\u002Fjs\u002Fscript.js?ver=",{"cssClasses":381,"htmlComments":382,"htmlAttributes":383,"restEndpoints":384,"jsGlobals":387,"shortcodeOutput":389},[],[],[],[385,386],"\u002Fwp-json\u002Fpkl-wpz-rest-api-auth\u002Fv1\u002Fgenerate-api-key","\u002Fwp-json\u002Fpkl-wpz-rest-api-auth\u002Fv1\u002Frevoke-api-key",[388],"pkl_wpz_rest_api_auth_vars",[]]