[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f384qpgN2SMpigdNd0jdRj25cOQKpay4w8-RB8LsOdNI":3,"$fCU3SF9sg84Zhuprk2Rbud3pCJvkhqMiz_N1T8jvNdxk":260,"$ftuzDi6YIdb6jdLw5eqlZZxLCGfoUsZhqwrrpyAg1mDA":265},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":30,"crawl_stats":26,"alternatives":38,"analysis":149,"fingerprints":243},"simple-jwt-login-mailpoet","Simple JWT Login MailPoet – Login users from newsletter","1.0.3","Nicu Micle","https:\u002F\u002Fprofiles.wordpress.org\u002Fnicu_m\u002F","\u003Cp>The Simple JWT Login MailPoet plugin is an add-on for the Simple-Jwt-Login plugin.\u003Cbr \u002F>\nIt allows you to seamlessly log users into your WordPress site using a JWT generated from MailPoet newsletters.\u003C\u002Fp>\n\u003Cp>Simple shortcode example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[custom:simple-jwt-login]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>This shortcode will generate a link, with the text “Login”\u003C\u002Fp>\n\u003Cp>Available shortcode parameters:\u003Cbr \u002F>\n– text : The text for the link\u003Cbr \u002F>\n– class: Class added for the link\u003Cbr \u002F>\n– style: Custom CSS added to the link\u003Cbr \u002F>\n– validity: The number of seconds a JWT is valid\u003Cbr \u002F>\n– authCode: Auth Code that is required by Autologin. You will find this in Simple-JWT-Login plugin -> Auth Codes\u003Cbr \u002F>\n– redirectUrl: This URL will overwrite the SimpleJWTLogin settings, and it will specify where users will be redirected after autologin.\u003Cbr \u002F>\n– isUrl: When this parameter is provided, the shortcode will return only the autologin URL\u003C\u002Fp>\n\u003Cp>Full short code example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[custom:simple-jwt-login text=\"Login\" class=\"myClassName\" style=\"color:red;\" validity=\"604800\" authCode=\"1\"]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>This example will generate a red link, with the text “Login”.\u003C\u002Fp>\n\u003Cp>You can also customize the shortcode to just return the URL.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[custom:simple-jwt-login text=\"Login\" validity=\"604800\" isUrl=\"on\"]\n\u003C\u002Fcode>\u003C\u002Fpre>\n","The Simple JWT Login MailPoet plugin is an add-on for the Simple-Jwt-Login plugin.",0,1397,"2026-03-18T05:34:00.000Z","6.9.4","4.4.0","5.5",[18,19,20,21,22],"auto-login","jwt","mailpoet","newsletter-jwt","newsletter-login","https:\u002F\u002Fsimplejwtlogin.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login-mailpoet.1.0.3.zip",100,null,"2026-04-06T09:54:40.288Z","no_bundle",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":33,"avg_security_score":34,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"nicu_m",2,5000,97,612,77,"2026-05-20T18:07:49.912Z",[39,57,79,102,126],{"slug":40,"name":41,"version":42,"author":7,"author_profile":8,"description":43,"short_description":44,"active_installs":33,"downloaded":45,"rating":25,"num_ratings":46,"last_updated":47,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":48,"homepage":23,"download_link":52,"security_score":53,"vuln_count":54,"unpatched_count":11,"last_vuln_date":55,"fetched_at":56},"simple-jwt-login","Simple JWT Login – Allows you to use JWT on REST endpoints.","3.6.5","\u003Cp>Simple JWT Login is a \u003Cstrong>FREE\u003C\u002Fstrong> WordPress plugin that enables secure authentication for your WordPress REST API using \u003Cstrong>JSON Web Tokens\u003C\u002Fstrong> (JWT).\u003C\u002Fp>\n\u003Cp>With this powerful plugin, you can:\u003Cbr \u002F>\n– Log in, register, and authenticate users effortlessly\u003Cbr \u002F>\n– Connect mobile apps, external websites, or third-party services to WordPress with ease\u003Cbr \u002F>\n– Change or delete user passwords securely\u003C\u002Fp>\n\u003Cp>Whether you’re building a headless WordPress setup or integrating with external platforms, Simple JWT Login provides a fast, secure, and reliable authentication solution.\u003C\u002Fp>\n\u003Cp>You can read more on our plugin documentation website \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\" rel=\"nofollow ugc\">https:\u002F\u002Fsimplejwtlogin.com\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Some awesome features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Auto-login using JWT and AUTH_KEY\u003C\u002Fli>\n\u003Cli>Register new users via API\u003C\u002Fli>\n\u003Cli>Delete WordPress users based on a JWT\u003C\u002Fli>\n\u003Cli>Reset user password\u003C\u002Fli>\n\u003Cli>Allow auto-login \u002F register \u002F delete users only from specific IP addresses\u003C\u002Fli>\n\u003Cli>Allow register users only from a specific domain name\u003C\u002Fli>\n\u003Cli>API Route for generating new JWT\u003C\u002Fli>\n\u003Cli>Get JWT from URL, SESSION, COOKIE or HEADER\u003C\u002Fli>\n\u003Cli>Pass request parameters to login URL\u003C\u002Fli>\n\u003Cli>CORS settings for plugin Routes\u003C\u002Fli>\n\u003Cli>Hooks\u003C\u002Fli>\n\u003Cli>JWT Authentication\u003C\u002Fli>\n\u003Cli>Allow access private endpoints with JWT\u003C\u002Fli>\n\u003Cli>Protect endpoints with JWT\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> Google OAuth Integration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> Google JWT on all endpoints\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-graphql\u002F\" rel=\"ugc\">WPGraphQL\u003C\u002Fa> integration\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Check the plugin \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\" rel=\"nofollow ugc\">website\u003C\u002Fa> for more features.\u003C\u002Fp>\n\u003Ch3>Login User\u003C\u002Fh3>\n\u003Cp>This plugin is customizable and offers you multiple methods to log in to you website, based on multiple scenarios.\u003C\u002Fp>\n\u003Cp>In order to login, users have to send JWT. The plugin, validates the JWT, and if everything is OK, it can extract the WordPress email address or user ID.\u003Cbr \u002F>\nUsers can specify the exact key of the JWT payload where this information can be found.\u003C\u002Fp>\n\u003Cp>Here are the methods how you can send the JWT in order to auto-login:\u003C\u002Fp>\n\u003Col>\n\u003Cli>URL\u003C\u002Fli>\n\u003Cli>Header\u003C\u002Fli>\n\u003Cli>Cookie\u003C\u002Fli>\n\u003Cli>Session\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>If the JWT is present in multiple places ( like URL and Header), the JWT will be overwritten.\u003C\u002Fp>\n\u003Cp>This plugin supports multiple JWT Decryption algorithms, like: HS256, HS512, HS384, RS256,RS384 and RS512.\u003C\u002Fp>\n\u003Cp>After the user is logged in you can automatically redirect the user to a page like:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Dashboard\u003C\u002Fli>\n\u003Cli>Homepage\u003C\u002Fli>\n\u003Cli>or any other custom Page ( this is mainly used for redirecting users to a landing page)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can attach to your redirect a URL parameter \u003Ccode>redirectUrl\u003C\u002Fcode> that will be used for redirect instead of the defined ones.\u003Cbr \u002F>\nIn order to use this, you have to enable it by checking the option \u003Ccode>Allow redirect to a specific URL\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>Also, redirect after login offers some variables that you can use in the customURL and redirectUrl.\u003Cbr \u002F>\nHere are the variables which you can use in your URL:\u003Cbr \u002F>\n– \u003Ccode>{{site_url}}\u003C\u002Fcode> : Site URL\u003Cbr \u002F>\n– \u003Ccode>{{user_id}}\u003C\u002Fcode> : Logged in user ID\u003Cbr \u002F>\n– \u003Ccode>{{user_email}}\u003C\u002Fcode> : Logged in user email\u003Cbr \u002F>\n– \u003Ccode>{{user_login}}\u003C\u002Fcode> : Logged in username\u003Cbr \u002F>\n– \u003Ccode>{{user_first_name}}\u003C\u002Fcode> : User first name\u003Cbr \u002F>\n– \u003Ccode>{{user_last_name}}\u003C\u002Fcode> : User last name\u003Cbr \u002F>\n– \u003Ccode>{{user_nicename}}\u003C\u002Fcode> : User nice name\u003C\u002Fp>\n\u003Cp>You can generate dynamic URLs with these variables, and, before the redirect, the specific value will be replaced.\u003C\u002Fp>\n\u003Cp>Here is an example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>http:\u002F\u002Fyourdomain.com?param1={{user_id}}¶m2={{user_login}}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, this plugin allows you to limit the auto-login based on the client IP address.\u003Cbr \u002F>\nIf you are concerned about security, you can limit the auto-login only from some IP addresses.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fautologin\u002F\" rel=\"nofollow ugc\">Read more\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Register Users\u003C\u002Fh3>\n\u003Cp>This plugin also allows you to create WordPress users.\u003C\u002Fp>\n\u003Cp>This option is disabled by default, but you can enable it at any time.\u003C\u002Fp>\n\u003Cp>In order to create users, you just have to make a POST request to the route URL, and send an \u003Cem>email\u003C\u002Fem> and a \u003Cem>password\u003C\u002Fem> as parameter and the new user will be created.\u003C\u002Fp>\n\u003Cp>You can select the type for the new users: editor, author, contributor, subscriber, etc.\u003C\u002Fp>\n\u003Cp>Also, you can limit the user creating only for specific IP addresses, or specific email domains.\u003C\u002Fp>\n\u003Cp>Another cool option is “Generate a random password when a new user is created”.\u003Cbr \u002F>\nIf this option is selected, the password is no more required when a new user is created a random password will be generated.\u003C\u002Fp>\n\u003Cp>Another option that you have for register user is “Initialize force login after register”.\u003Cbr \u002F>\nWhen the user registration is completed, the user will continue on the flow configured on login config.\u003C\u002Fp>\n\u003Cp>If auto-login is disabled, this feature will not work and the register user will go on a normal flow and return a json response.\u003C\u002Fp>\n\u003Cp>If you want to add custom user_meta on user creation, just add the parameter \u003Ccode>user_meta\u003C\u002Fcode> with a json. This will create user_meta for the new user.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"meta_key\":\"meta_value\",\n \"meta_key2\":\"meta_value\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>These properties can be passed in the request when the new user is created.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>email\u003C\u002Fstrong> : (required) (string) The user email address.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>password\u003C\u002Fstrong> : (required) (string) The plain-text user password.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_login\u003C\u002Fstrong> : (string) The user’s login username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_nicename\u003C\u002Fstrong> : (string) The URL-friendly username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_url\u003C\u002Fstrong> : (string) The user URL.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>display_name\u003C\u002Fstrong> : (string) The user’s display name. Default is the user’s username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>nickname\u003C\u002Fstrong> : (string) The user’s nickname. Default is the user’s username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>first_name\u003C\u002Fstrong> : (string) The user’s first name. For new users, will be used to build the first part of the user’s display name if $display_name is not specified.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>last_name\u003C\u002Fstrong> : (string) The user’s last name. For new users, will be used to build the second part of the user’s display name if $display_name is not specified.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>description\u003C\u002Fstrong> : (string) The user’s biographical description.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>rich_editing\u003C\u002Fstrong> : (string) Whether to enable the rich-editor for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>syntax_highlighting\u003C\u002Fstrong> : (string) Whether to enable the rich code editor for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>comment_shortcuts\u003C\u002Fstrong> : (string) Whether to enable comment moderation keyboard shortcuts for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘false’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>admin_color\u003C\u002Fstrong> : (string) Admin color scheme for the user. Default ‘fresh’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>use_ssl\u003C\u002Fstrong> : (bool) Whether the user should always access the admin over https. Default false.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_registered\u003C\u002Fstrong> : (string) Date the user registered. Format is \u003Ccode>Y-m-d H:m:s\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_activation_key\u003C\u002Fstrong> : (string) Password reset key. Default empty.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>spam\u003C\u002Fstrong> : (bool) Multisite only. Whether the user is marked as spam. Default false.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>show_admin_bar_front\u003C\u002Fstrong> : (string) Whether to display the Admin Bar for the user on the site’s front end. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>locale\u003C\u002Fstrong> : (string) User’s locale. Default empty.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fregister-user\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Delete User\u003C\u002Fh3>\n\u003Cp>Delete user it is disabled by default.\u003C\u002Fp>\n\u003Cp>In order to delete a user, you have to configure where to search the details in the JWT.\u003Cbr \u002F>\nYou can delete users by WordPress User ID or by Email address.\u003C\u002Fp>\n\u003Cp>Also, you have to choose the JWT parameter key where email or user ID it is stored in the JWT.\u003C\u002Fp>\n\u003Cp>Also, you can limit the deletion of users to specific IP addresses for security reasons.\u003C\u002Fp>\n\u003Ch3>Reset Password\u003C\u002Fh3>\n\u003Cp>Reset password and change password endpoints are disabled by default.\u003C\u002Fp>\n\u003Cp>This plugin allows you to send the reset password endpoint, just by calling an endpoint. An email with the code will be sent to a specific email address.\u003C\u002Fp>\n\u003Cp>Also, you are able to customize this email, or even not send at email at all.\u003C\u002Fp>\n\u003Cp>The change password endpoint, changes the user password, based on the reset password code.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fdelete-user\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Authentication\u003C\u002Fh3>\n\u003Cp>This plugin allows users to generate JWT tokens based from WordPress user email and password.\u003C\u002Fp>\n\u003Cp>In order to Get a new JWT, just make a POST request to \u003Cem>\u002Fauth\u003C\u002Fem> route with your WordPress email(or username) and password ( or password_hash) and the response will look something like this:\u003C\u002Fp>\n\u003Cpre>\u003Ccode> {\n \"success\": true,\n \"data\": {\n \"jwt\": \"NEW_GENERATED_JWT_HERE\"\n }\n }\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If you want to add extra parameters in the JWT payload, just send the parameter \u003Ccode>payload\u003C\u002Fcode> on \u003Ccode>\u002Fauth\u003C\u002Fcode> endpoint, and add a json with the values you want to be added in the payload.\u003C\u002Fp>\n\u003Cp>At some point, the JWT will expire.\u003Cbr \u002F>\nSo, if you want to renew it without having to ask again for user and password, you will have to make a POST request to the \u003Cem>auth\u002Frefresh\u003C\u002Fem> route.\u003C\u002Fp>\n\u003Cp>This will generate a response with a new JWT, similar to the one that \u003Ccode>\u002Fauth\u003C\u002Fcode> generates.\u003C\u002Fp>\n\u003Cp>If you want to get some details about a JWT, and validate that JWT, you can call \u003Ccode>\u002Fauth\u002Fvalidate\u003C\u002Fcode>. If you have a valid JWT, details about the available WordPress user will be returned, and some JWT details.\u003C\u002Fp>\n\u003Cp>If you want to revoke a JWT, access \u003Ccode>\u002Fauth\u002Frevoke\u003C\u002Fcode> and send the \u003Ccode>jwt\u003C\u002Fcode> as a parameter.\u003C\u002Fp>\n\u003Cp>The plugin auto-generates the example URL you might need to test these scenarios.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fauthentication\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Auth codes\u003C\u002Fh3>\n\u003Cp>Auth codes are optional, but you can enable them for Auto-login, Register User and Delete user.\u003C\u002Fp>\n\u003Cp>This feature allows you to add a layer of protection to your API routes.\u003C\u002Fp>\n\u003Cp>The Auth codes contains 3 parts:\u003Cbr \u002F>\n1. Authentication Key: This is the actual code that you have to add in the request.\u003Cbr \u002F>\n2. WordPress new User Role: can be used when you want to create multiple user types with the create user endpoint. If you leave it blank, the value configured in the ‘Register Settings’ will be used.\u003Cbr \u002F>\n3. Expiration Date: This allows you to set an expiration date for you auth codes. The format is `Y-M-D H:m:s’. Example : 2020-12-24 23:00:00. If you leave it blank, it will never expire.\u003C\u002Fp>\n\u003Cp>Expiration date format: year-month-day hours:minutes:seconds\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fauth-codes\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Hooks\u003C\u002Fh3>\n\u003Cp>This plugin allows advanced users to link some hooks with the plugin and perform some custom scripts.\u003Cbr \u002F>\nSome available hooks:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_login_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user\u003C\u002Fli>\n\u003Cli>description: This hook it is called after the user has been logged in. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_redirect_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: string $url, array $request\u003C\u002Fli>\n\u003Cli>description: This hook it is called before the user it will be redirected to the page he specified in the login section. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_register_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user, string $plain_text_password\u003C\u002Fli>\n\u003Cli>description: This hook it is called after a new user has been created. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_delete_user_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user\u003C\u002Fli>\n\u003Cli>description: This hook it is called right after the user has been deleted.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_jwt_payload_auth\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: array $payload, array $request\u003C\u002Fli>\n\u003Cli>return: array $payload\u003C\u002Fli>\n\u003Cli>description: This hook is called on \u002Fauth endpoint. Here you can modify payload parameters. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_no_redirect_message\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: array $payload, array $request\u003C\u002Fli>\n\u003Cli>return: array $payload\u003C\u002Fli>\n\u003Cli>description: This hook is called on \u002Fautologin endpoint when the option \u003Ccode>No Redirect\u003C\u002Fcode> is selected. You can customize the message and add parameters.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_reset_password_custom_email_template\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: string $template, array $request\u003C\u002Fli>\n\u003Cli>return: string $template\u003C\u002Fli>\n\u003Cli>description: This is executed when POST \u002Fuser\u002Freset_password is called. It will replace the email template that has been added in Reset Password settings \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>View full list of hooks on \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fhooks\" rel=\"nofollow ugc\">https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fhooks\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>CORS\u003C\u002Fh3>\n\u003Cp>The CORS standard it is needed because it allows servers to specify who can access its assets and how the assets can be accessed.\u003Cbr \u002F>\nCross-origin requests are made using the standard HTTP request methods like GET, POST, PUT, DELETE, etc.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fcors\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Protect endpoints\u003C\u002Fh3>\n\u003Cp>This option is disabled by default. In order to enable it, you need to set “Protect endpoints enabled” to true.\u003C\u002Fp>\n\u003Cp>This feature comes with 2 actions:\u003Cbr \u002F>\n– Apply on All REST Endpoints\u003Cbr \u002F>\n– Apply only on specific REST endpoints\u003C\u002Fp>\n\u003Cp>When you choose \u003Ccode>Apply on All REST Endpoints\u003C\u002Fcode>, you will be able to whitelist some endpoints from your WordPress REST by adding them to the whitelist section.\u003Cbr \u002F>\nFor example, If you only want to allow users to access the \u003Ccode>wp\u002Fv2\u002Fposts\u003C\u002Fcode> endpoint without having to provide the JWT, you save in the whitelist section \u003Ccode>wp\u002Fv2\u002Fposts\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>When you choose \u003Ccode>Apply only on specific endpoints\u003C\u002Fcode>, you will have to add all the endpoints you want to be protected by JWT.\u003C\u002Fp>\n\u003Cp>When an endpoint is protected, and you don’t provide a JWT, you will get the following response:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"success\":false,\n \"data\":{\n \"message\":\"Your are not authorized to access this endpoint.\",\n \"errorCode\":403,\n \"type\":\"simple-jwt-login-route-protect\"\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fprotect-endpoints\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Integration\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>PHP\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>In order to easily integrate your app\u002Fsite with simple-jwt-login, we have developed a composer package.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>composer require nicumicle\u002Fsimple-jwt-login-client-php\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can check the \u003Ca href=\"https:\u002F\u002Fpackagist.org\u002Fpackages\u002Fnicumicle\u002Fsimple-jwt-login-client-php\" rel=\"nofollow ugc\">package page\u003C\u002Fa> for more details and code examples.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Javascript\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Also, there is a \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsimple-jwt-login\u002Fjs-sdk\" rel=\"nofollow ugc\">Javascript SDK\u003C\u002Fa> that you can install with \u003Ccode>npm\u003C\u002Fcode> or \u003Ccode>yarn\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>npm install \"simple-jwt-login\"\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>or\u003C\u002Fp>\n\u003Cpre>\u003Ccode>yarn add \"simple-jwt-login\"\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Enhance the WordPress REST API with JWT authentication for secure access by mobile apps, external sites, and third-party services.",82994,46,"2026-03-14T06:23:00.000Z",[49,18,19,50,51],"api","register","tokens","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.6.5.zip",94,3,"2025-09-22 00:00:00","2026-04-16T10:56:18.058Z",{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":65,"downloaded":66,"rating":67,"num_ratings":68,"last_updated":69,"tested_up_to":14,"requires_at_least":70,"requires_php":71,"tags":72,"homepage":77,"download_link":78,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":56},"jwt-authentication-for-wp-rest-api","JWT Authentication for WP REST API","1.5.0","tmeister","https:\u002F\u002Fprofiles.wordpress.org\u002Ftmeister\u002F","\u003Cp>This plugin seamlessly extends the WP REST API, enabling robust and secure authentication using JSON Web Tokens (JWT). It provides a straightforward way to authenticate users via the REST API, returning a standard JWT upon successful login.\u003C\u002Fp>\n\u003Ch3>Key features of this free version include:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication:\u003C\u002Fstrong> Implements the industry-standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa> for secure claims representation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple Endpoints:\u003C\u002Fstrong> Offers clear \u003Ccode>\u002Ftoken\u003C\u002Fcode> and \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode> endpoints for generating and validating tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Secret Key:\u003C\u002Fstrong> Define your unique secret key via \u003Ccode>wp-config.php\u003C\u002Fcode> for secure token signing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optional CORS Support:\u003C\u002Fstrong> Easily enable Cross-Origin Resource Sharing support via a \u003Ccode>wp-config.php\u003C\u002Fcode> constant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Hooks:\u003C\u002Fstrong> Provides filters (\u003Ccode>jwt_auth_expire\u003C\u002Fcode>, \u003Ccode>jwt_auth_token_before_sign\u003C\u002Fcode>, etc.) for customizing token behavior.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.\u003C\u002Fp>\n\u003Cp>For users requiring more advanced capabilities such as multiple signing algorithms (RS256, ES256), token refresh\u002Frevocation, UI-based configuration, or priority support, consider checking out \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_link_soft\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Support and Requests:\u003C\u002Fstrong> Please use \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub Issues\u003C\u002Fa>. For priority support, consider upgrading to \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_support_link\" rel=\"nofollow ugc\">PRO\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>REQUIREMENTS\u003C\u002Fh3>\n\u003Ch4>WP REST API V2\u003C\u002Fh4>\n\u003Cp>This plugin was conceived to extend the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API V2\u003C\u002Fa> plugin features and, of course, was built on top of it.\u003C\u002Fp>\n\u003Cp>So, to use the \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> you need to install and activate \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>PHP\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Minimum PHP version: 7.4.0\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>PHP HTTP Authorization Header Enable\u003C\u002Fh3>\n\u003Cp>Most shared hosting providers have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPENGINE\u003C\u002Fh4>\n\u003Cp>For WPEngine hosting, you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>See https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1 for more details.\u003C\u002Fp>\n\u003Ch3>CONFIGURATION\u003C\u002Fh3>\n\u003Ch3>Configure the Secret Key\u003C\u002Fh3>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a secure key from: https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Looking for easier configuration?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=config_secret_key_link\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to manage all settings through a simple admin UI.\u003C\u002Fp>\n\u003Ch3>Configure CORS Support\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORS\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable CORS Support, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Finally, activate the plugin within your wp-admin.\u003C\u002Fp>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace:\u003C\u002Fp>\n\u003Cp>Endpoint | HTTP Verb\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fem> | POST\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need more functionality?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=endpoints_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> includes additional endpoints for token refresh and revocation.\u003C\u002Fp>\n\u003Ch3>USAGE\u003C\u002Fh3>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fh4>\n\u003Cp>This is the entry point for JWT Authentication.\u003C\u002Fp>\n\u003Cp>It validates the user credentials, \u003Cem>username\u003C\u002Fem> and \u003Cem>password\u003C\u002Fem>, and returns a token to use in future requests to the API if the authentication is correct, or an error if authentication fails.\u003C\u002Fp>\n\u003Cp>Sample Request Using AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>(function() {\n var app = angular.module('jwtAuth', []);\n\n app.controller('MainController', function($scope, $http) {\n var apiHost = 'http:\u002F\u002Fyourdomain.com\u002Fwp-json';\n\n $http.post(apiHost + '\u002Fjwt-auth\u002Fv1\u002Ftoken', {\n username: 'admin',\n password: 'password'\n })\n .then(function(response) {\n console.log(response.data)\n })\n .catch(function(error) {\n console.error('Error', error.data[0]);\n });\n });\n})();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Success Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9qd3QuZGV2IiwiaWF0IjoxNDM4NTcxMDUwLCJuYmYiOjE0Mzg1NzEwNTAsImV4cCI6MTQzOTE3NTg1MCwiZGF0YSI6eyJ1c2VyIjp7ImlkIjoiMSJ9fX0.YNe6AyWW4B7ZwfFE5wJ0O6qQ8QFcYizimDmBy6hCH_8\",\n \"user_display_name\": \"admin\",\n \"user_email\": \"admin@localhost.dev\",\n \"user_nicename\": \"admin\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Error Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"code\": \"jwt_auth_failed\",\n \"data\": {\n \"status\": 403\n },\n \"message\": \"Invalid Credentials.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application, e.g., in a \u003Cstrong>cookie\u003C\u002Fstrong> or using \u003Cstrong>localStorage\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>From this point, you should pass this token with every API call.\u003C\u002Fp>\n\u003Cp>Sample Call Using The Authorization Header With AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>app.config(function($httpProvider) {\n $httpProvider.interceptors.push(['$q', '$location', '$cookies', function($q, $location, $cookies) {\n return {\n 'request': function(config) {\n config.headers = config.headers || {};\n \u002F\u002F Assume that you store the token in a cookie\n var globals = $cookies.getObject('globals') || {};\n \u002F\u002F If the cookie has the CurrentUser and the token\n \u002F\u002F add the Authorization header in each request\n if (globals.currentUser && globals.currentUser.token) {\n config.headers.Authorization = 'Bearer ' + globals.currentUser.token;\n }\n return config;\n }\n };\n }]);\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin will intercept every call to the server and will look for the Authorization Header. If the Authorization header is present, it will try to decode the token and will set the user according to the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as normal.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Sample Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fresource HTTP\u002F1.1\nHost: server.example.com\nAuthorization: Bearer mF_s9.B5f-4.1JqM\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>ERRORS\u003C\u002Fh3>\n\u003Cp>If the token is invalid, an error will be returned. Here are some sample errors:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Invalid Credentials\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n {\n \"code\": \"jwt_auth_failed\",\n \"message\": \"Invalid Credentials.\",\n \"data\": {\n \"status\": 403\n }\n }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Invalid Signature\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n {\n \"code\": \"jwt_auth_invalid_token\",\n \"message\": \"Signature verification failed\",\n \"data\": {\n \"status\": 403\n }\n }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Expired Token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n {\n \"code\": \"jwt_auth_invalid_token\",\n \"message\": \"Expired token\",\n \"data\": {\n \"status\": 403\n }\n }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Need advanced error tracking?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=errors_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> offers enhanced error tracking and monitoring capabilities.\u003C\u002Fp>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fh4>\n\u003Cp>This is a simple helper endpoint to validate a token. You only need to make a POST request with the Authorization header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Valid Token Response\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n \"code\": \"jwt_auth_valid_token\",\n \"data\": {\n \"status\": 200\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>AVAILABLE HOOKS\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin is developer-friendly and provides five filters to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_cors_allow_headers\u003C\u002Fstrong> filter allows you to modify the available headers when CORS support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_not_before\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Creation time - time()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_expire\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_token_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_sign\u003C\u002Fstrong> filter allows you to modify all token data before it is encoded and signed.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = array(\n 'iss' => get_bloginfo('url'),\n 'iat' => $issuedAt,\n 'nbf' => $notBefore,\n 'exp' => $expire,\n 'data' => array(\n 'user' => array(\n 'id' => $user->data->ID,\n )\n )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Want easier customization?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=hook_payload_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to add custom claims directly through the admin UI.\u003C\u002Fp>\n\u003Ch4>jwt_auth_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_dispatch\u003C\u002Fstrong> filter allows you to modify the response array before it is sent to the client.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = array(\n 'token' => $token,\n 'user_email' => $user->data->user_email,\n 'user_nicename' => $user->data->user_nicename,\n 'user_display_name' => $user->data->display_name,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_algorithm\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_algorithm\u003C\u002Fstrong> filter allows you to modify the signing algorithm.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = JWT::encode(\n apply_filters('jwt_auth_token_before_sign', $token, $user),\n $secret_key,\n apply_filters('jwt_auth_algorithm', 'HS256')\n);\n\n\u002F\u002F ...\n\n$token = JWT::decode(\n $token,\n new Key($secret_key, apply_filters('jwt_auth_algorithm', 'HS256'))\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>JWT Authentication PRO\u003C\u002Fh3>\n\u003Cp>Elevate your WordPress security and integration capabilities with \u003Cstrong>JWT Authentication PRO\u003C\u002Fstrong>. Building upon the solid foundation of the free version, the PRO version offers advanced features, enhanced security options, and a streamlined user experience:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Configuration UI:\u003C\u002Fstrong> Manage all settings directly from the WordPress admin area.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Endpoint:\u003C\u002Fstrong> Allow users to refresh expired tokens seamlessly without requiring re-login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation Endpoint:\u003C\u002Fstrong> Immediately invalidate specific tokens for enhanced security control.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Token Payload:\u003C\u002Fstrong> Add custom claims to your JWT payload to suit your specific application needs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular CORS Control:\u003C\u002Fstrong> Define allowed origins and headers with more precision directly in the settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Protect your endpoints from abuse with configurable rate limits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Audit Logs:\u003C\u002Fstrong> Keep track of token generation, validation, and errors.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Priority Support:\u003C\u002Fstrong> Get faster, dedicated support directly from the developer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=pro_section_cta\" rel=\"nofollow ugc\">Upgrade to JWT Authentication PRO Today!\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Free vs. PRO Comparison\u003C\u002Fh3>\n\u003Cp>Here’s a quick look at the key differences:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Basic JWT Authentication:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Generation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Validation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Mechanism:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Management Dashboard:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Analytics & Monitoring:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geo-IP Identification:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Documentation:\u003C\u002Fstrong> Basic (Free), Comprehensive (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Tools:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support:\u003C\u002Fstrong> Community via GitHub (Free), Priority Direct Support (PRO)\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.",60000,906385,88,53,"2026-02-18T00:58:00.000Z","4.2","7.4.0",[73,19,74,75,76],"json-web-authentication","oauth","rest-api","wp-api","https:\u002F\u002Fenriquechavez.co","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authentication-for-wp-rest-api.1.5.0.zip",{"slug":80,"name":81,"version":82,"author":83,"author_profile":84,"description":85,"short_description":86,"active_installs":87,"downloaded":88,"rating":67,"num_ratings":89,"last_updated":90,"tested_up_to":14,"requires_at_least":91,"requires_php":92,"tags":93,"homepage":98,"download_link":99,"security_score":100,"vuln_count":32,"unpatched_count":11,"last_vuln_date":101,"fetched_at":56},"wp-rest-api-authentication","JWT Authentication for WP REST APIs","4.3.0","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cp>\u003Cstrong>WordPress REST API endpoints\u003C\u002Fstrong> are \u003Cstrong>open and unsecured by default\u003C\u002Fstrong> which can be used to access your site data. Secure WordPress APIs from unauthorized users with our \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication\" rel=\"nofollow ugc\">JWT Authentication for WP REST APIs plugin\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Our plugin offers below authentication methods to \u003Cstrong>Protect WP REST API endpoints\u003C\u002Fstrong>:\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– External Token based Authentication 2.0\u002FOIDC\u002FJWT\u002F\u003Ca href=\"https:\u002F\u002Ffirebase.google.com\u002Fdocs\u002Fauth\u002Fadmin\u002Fcreate-custom-tokens\" rel=\"nofollow ugc\">Firebase\u003C\u002Fa> provider’s token authentication methods.\u003C\u002Fp>\n\u003Cp>You can authenticate default WordPress endpoints and custom-developed REST endpoints and third-party plugin REST API endpoints like that of \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwoocommerce\u002F\" rel=\"ugc\">Woocommerce\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.learndash.com\u002F\" rel=\"nofollow ugc\">Learndash\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbuddypress\u002F\" rel=\"ugc\">Buddypress\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.gravityforms.com\u002F\" rel=\"nofollow ugc\">Gravity Forms\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcart-rest-api-for-woocommerce\u002F\" rel=\"ugc\">CoCart\u003C\u002Fa>, etc.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FIsyKI7eEV-I?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&start=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch3>WP REST API Authentication Methods in our plugin\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method#step_a1\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\nProvides an endpoint where you can pass the user credentials, and it will generate a JWT (JSON Web Token), which you can use to access the WordPress REST APIs accordingly.\u003Cbr \u002F>\nAdditionally, to maintain a seamless user experience without frequent logins needed due to token expiry, you can use our \u003Cem>Refresh and Revoke token\u003C\u002Fem> mechanisms feature.\u003Cbr \u002F>\nWhen the access token expires, instead of forcing the user to log in again, the client can request a new access token using a valid refresh token.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method#step_a\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>:\u003Cbr \u002F>\n – 1. \u003Cstrong>Username: Password\u003C\u002Fstrong>\u003Cbr \u002F>\n – 2. \u003Cstrong>Client-ID: Client-Secret\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method#step_a\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n – 1. \u003Cstrong>Password Grant\u003C\u002Fstrong>\u003Cbr \u002F>\n – 2. \u003Cstrong>Client Credentials Grant\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication-using-third-party-provider#step_a\" rel=\"nofollow ugc\">Third Party Provider Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Following are some of the integrations that are possible with WP REST API Authentication:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Learndash API Authentication\u003C\u002Fli>\n\u003Cli>Custom Built REST API Endpoints Authentication\u003C\u002Fli>\n\u003Cli>BuddyPress API Authentication\u003C\u002Fli>\n\u003Cli>WooCommerce API Authentication\u003C\u002Fli>\n\u003Cli>Gravity Form API Authentication\u003C\u002Fli>\n\u003Cli>External\u002FThird-party plugin API endpoints integration in WordPress\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can also disable the WP REST APIs with our plugin such that no one can make API calls to your WordPress REST API endpoints.Our plugin also provides \u003Cstrong>Refresh and Revoke Token\u003C\u002Fstrong> that can be used to improve the API security.\u003C\u002Fp>\n\u003Ch3>Benefits of Refresh Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Enhances security by keeping access tokens short-lived.\u003C\u002Fli>\n\u003Cli>Improves user experience with uninterrupted sessions.\u003C\u002Fli>\n\u003Cli>Reduces login frequency.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Benefits of Revoke Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Protects against token misuse if a device is lost or compromised.\u003C\u002Fli>\n\u003Cli>Enables admin-triggered logouts or session control.\u003C\u002Fli>\n\u003Cli>Useful for complying with stricter session policies.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>With this plugin, the user is allowed to access your site’s resources only after successful WP REST API authentication. JWT Authentication for WP REST APIs plugin will make your \u003Cstrong>WordPress endpoints secure from unauthorized access.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Plugin Feature List\u003C\u002Fh3>\n\u003Ch3>FREE PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate only default core WordPress REST API endpoints.\u003C\u002Fli>\n\u003Cli>Basic Authentication with username and password.\u003C\u002Fli>\n\u003Cli>JWT Authentication (JSON Web Token Authentication).\u003C\u002Fli>\n\u003Cli>Enable Selective API protection.\u003C\u002Fli>\n\u003Cli>Restrict non-logged-in users to access REST API endpoints.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>PREMIUM PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate all REST API endpoints (Default WP, Custom APIs,Third-Party plugins)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>JWT Token Authentication\u003C\u002Fstrong> (JSON Web Token Authentication)\u003C\u002Fli>\n\u003Cli>Login, Refresh and Revoke token endpoints for token management\u003C\u002Fli>\n\u003Cli>API Key Authentication\u003C\u002Fli>\n\u003Cli>Basic Authentication (username\u002Fpassword and email\u002Fpassword)\u003C\u002Fli>\n\u003Cli>OAuth 2.0 Authentication\u003C\u002Fli>\n\u003Cli>Universal API key and User-specific API key for authentication\u003C\u002Fli>\n\u003Cli>Selective API protection.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003Cli>Time-based token expiry\u003C\u002Fli>\n\u003Cli>Role-based WP REST API authentication\u003C\u002Fli>\n\u003Cli>Custom Header support rather than just \u003Cem>Authorization\u003C\u002Fem> to increase security.\u003C\u002Fli>\n\u003Cli>Create users in WordPress based on third-party provider access tokens (JWT tokens) authentication.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin does not store any user data.\u003C\u002Fp>\n","Secure and protect WordPress REST API from unauthorized access using JWT token, Basic Authentication, API Key, OAuth 2, or external token.",20000,494247,73,"2026-02-09T05:11:00.000Z","3.0.1","5.6",[94,95,96,75,97],"api-key","jwt-authentication","rest","secure-api","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-rest-api-authentication","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rest-api-authentication.4.3.0.zip",98,"2025-04-16 00:00:00",{"slug":103,"name":104,"version":105,"author":106,"author_profile":107,"description":108,"short_description":109,"active_installs":110,"downloaded":111,"rating":112,"num_ratings":113,"last_updated":114,"tested_up_to":115,"requires_at_least":116,"requires_php":117,"tags":118,"homepage":123,"download_link":124,"security_score":125,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":56},"goodbye-captcha","WPBruiser {no- Captcha anti-Spam}","3.1.43","MihChe","https:\u002F\u002Fprofiles.wordpress.org\u002Fmihche\u002F","\u003Cp>\u003Cstrong>WPBruiser (formerly GoodBye Captcha) is an anti-spam and security plugin based on algorithms that identify spam bots without any annoying and hard to read captcha images.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>WPBruiser completely eliminates spam-bot signups, spam comments, even brute force attacks, the second you install it on your WordPress website. It is completely invisible to the end-user – no need to ever fill out a Captcha or other “human-detection” field ever again – and it just works!\u003C\u002Fp>\n\u003Cp>Unlike other anti-spam plugins, which detect spam comments and signups after the fact and move them to your spam folder, which you then have to delete – using up not only your website’s resources, but your time as well, WPBruiser prevents the bots from leaving spam in the first place. The result is that your site is not only spam free, it’s faster and more secure.\u003C\u002Fp>\n\u003Cp>In addition, WPBruiser is completely self-contained and does not need to connect to any outside service. Your logins remain yours, 100%.\u003C\u002Fp>\n\u003Cp>WPBruiser fights Brute Force attacks and eliminates spam-bots on comments, signup pages as well as login and password reset pages. At the click of a button, you can decide which forms to protect.\u003C\u002Fp>\n\u003Ch4>Summary of WPBruiser features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Standard WordPress Login form integration\u003C\u002Fli>\n\u003Cli>Standard WordPress Register form integration\u003C\u002Fli>\n\u003Cli>Standard WordPress Forgot Password form integration\u003C\u002Fli>\n\u003Cli>Standard WordPress Comments form integration\u003C\u002Fli>\n\u003Cli>Ability to set the maximum number of characters for each comment field\u003C\u002Fli>\n\u003Cli>Logging with the ability to enable\u002Fdisable it\u003C\u002Fli>\n\u003Cli>Automatically Block IP Addresses\u003C\u002Fli>\n\u003Cli>Automatically purge logs older than a certain number of days\u003C\u002Fli>\n\u003Cli>Manually white-list trusted IP Address (IPV4 and IPV6)\u003C\u002Fli>\n\u003Cli>Manually block\u002Funblock IP Addresses (IPV4 and IPV6)\u003C\u002Fli>\n\u003Cli>Properly detects client IP Address when using CloudFlare, Incapsula, Cloudfront, RackSpace, Sucuri CloudProxy, AWS ELB\u003C\u002Fli>\n\u003Cli>Provides statistics, reports, maps and charts with all blocked spam attempts\u003C\u002Fli>\n\u003Cli>No requests to external APIs\u003C\u002Fli>\n\u003Cli>Can be switched to “Test Mode” – for testing\u003C\u002Fli>\n\u003Cli>Compatible with WordPress Multisite – network admin interface ready\u003C\u002Fli>\n\u003Cli>Compatible with cache plugins (WP Super Cache, W3 Total Cache, ZenCache, WP Fastest Cache and others)\u003C\u002Fli>\n\u003Cli>Invisible for end users (works in the background)\u003C\u002Fli>\n\u003Cli>Does not affect page loading times\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Brute Force Protection\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Automatically detects Brute Force attacks\u003C\u002Fli>\n\u003Cli>Ability to automatically block IP Addresses\u003C\u002Fli>\n\u003Cli>Prevents User Enumeration\u003C\u002Fli>\n\u003Cli>Ability to block most dangerous IP addresses involved in brute force attacks\u003C\u002Fli>\n\u003Cli>Ability to block most dangerous Anonymous Proxy IP addresses including TOR Networks, TOR Nodes and TOR Exit Points\u003C\u002Fli>\n\u003Cli>Ability to Completely Disable XML-RPC service – \u003Cstrong>it seamlessly works with Jetpack plugin activated\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Ability to Disable XML-RPC Pingbacks\u003C\u002Fli>\n\u003Cli>Email notifications when a Brute Force Attack is detected\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cblockquote>\n\u003Ch4>WPBruiser Available Extensions\u003C\u002Fh4>\n\u003Cp>WPBruiser is integrated with the most popular plugins\u003C\u002Fp>\n\u003Cdl>\n\u003Cdt>Contact Forms Extensions\u003C\u002Fdt>\n\u003Cdd>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Fcontact-form-7\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – Contact Form 7\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Fgravity-forms\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – Gravity Forms\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Fninja-forms\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – Ninja Forms\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Fformidable-forms\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – Formidable Forms\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Ffast-secure-contact-form\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – Fast Secure Contact Form\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – Jetpack Contact Form (FREE – merged into the core)\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fdd>\n\u003C\u002Fdl>\n\u003Cdl>\n\u003Cdt>Membership Extensions\u003C\u002Fdt>\n\u003Cdd>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Fbuddypress\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – BuddyPress\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Fmemberpress\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – MemberPress\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Fuserpro\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – UserPro\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Fupme\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – User Profiles Made Easy\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – Ultimate Member (FREE – merged into the core)\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fdd>\n\u003C\u002Fdl>\n\u003Cdl>\n\u003Cdt>eCommerce Extensions\u003C\u002Fdt>\n\u003Cdd>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Fwoocommerce\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – WooCommerce\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Feasy-digital-downloads\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – Easy Digital Downloads\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Faffiliatewp\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – AffiliateWP\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fdd>\n\u003C\u002Fdl>\n\u003Cdl>\n\u003Cdt>Email Subscriptions Extensions\u003C\u002Fdt>\n\u003Cdd>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Fmailpoet\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – MailPoet\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fdownloads\u002Feasy-forms-for-mailchimp\u002F\" rel=\"nofollow ugc\">\u003Cstrong>WPBruiser – Easy Forms for MailChimp\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fdd>\n\u003C\u002Fdl>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.wpbruiser.com\u002Fextensions\u002F\" title=\"WPBruiser Extensions\" rel=\"nofollow ugc\">View all WPBruiser Extensions\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>\u003Cstrong>WPBruiser is also integrated with the following plugins:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Postmatic\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fpostmatic)\u003Cbr \u002F>\nWPBruiser offers protection for the entire email commenting system\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Epoch\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fepoch)\u003Cbr \u002F>\nWPBruiser offers protection for the entire chat and commenting system\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>wpDiscuz\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwpdiscuz\u002F)\u003Cbr \u002F>\nWPBruiser offers protection for the entire commenting system\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>MailChimp for WordPress\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fmailchimp-for-wp)\u003Cbr \u002F>\nWPBruiser offers protection for all forms the user will create with MailChimp\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Ultimate Member\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fultimate-member)\u003Cbr \u002F>\nWPBruiser offers protection for Login, Registration and Reset Password forms\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Jetpack by WordPress\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjetpack)\u003Cbr \u002F>\nWPBruiser offers protection for JetPack Contact Form\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>ZM Ajax Login & Register\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fzm-ajax-login-register)\u003Cbr \u002F>\nWPBruiser offers protection for Login and Registration forms\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Login With Ajax\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Flogin-with-ajax)\u003Cbr \u002F>\nWPBruiser offers protection for Login, Registration and Lost Password forms\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>WP User Control\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-user-control)\u003Cbr \u002F>\nWPBruiser offers protection for Login, Registration and Lost Password forms\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>PlanSo Forms\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fplanso-forms\u002F)\u003Cbr \u002F>\nWPBruiser offers protection for all forms\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Theme My Login\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftheme-my-login)\u003Cbr \u002F>\nWPBruiser offers protection for Login, Registration and Lost Password forms\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Seamless Donations\u003C\u002Fstrong> (https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fseamless-donations)\u003Cbr \u002F>\nWPBruiser offers protection for the donation form\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Technical support\u003C\u002Fh4>\n\u003Cp>If you notice any problems by using this plugin, please notify us and we will investigate and fix the issues. Ideally your request should contain: URL of the website (if your site is public), Php version, WordPress version and all the steps in order to replicate the issue (if you are able to reproduce it somehow)\u003C\u002Fp>\n\u003Ch4>Donate\u003C\u002Fh4>\n\u003Cp>If you find this plugin useful, please consider making a small \u003Ca href=\"https:\u002F\u002Fwww.paypal.com\u002Fcgi-bin\u002Fwebscr?cmd=_s-xclick&hosted_button_id=XVC3TSGEJQP2U\" rel=\"nofollow ugc\">donation\u003C\u002Fa>. Thank you\u003C\u002Fp>\n","An extremely powerful antispam plugin that blocks spam-bots without annoying captcha images.",10000,690001,92,213,"2020-10-14T03:31:00.000Z","5.5.18","4.0","",[119,120,121,20,122],"anti-spam","antispam","captcha","spam","http:\u002F\u002Fwww.wpbruiser.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoodbye-captcha.zip",85,{"slug":127,"name":128,"version":129,"author":130,"author_profile":131,"description":132,"short_description":133,"active_installs":134,"downloaded":135,"rating":25,"num_ratings":136,"last_updated":137,"tested_up_to":138,"requires_at_least":139,"requires_php":140,"tags":141,"homepage":144,"download_link":145,"security_score":146,"vuln_count":147,"unpatched_count":11,"last_vuln_date":148,"fetched_at":56},"jwt-auth","JWT Auth – WordPress JSON Web Token Authentication","3.0.2","Bagus","https:\u002F\u002Fprofiles.wordpress.org\u002Fcontactjavas\u002F","\u003Cp>WordPress JSON Web Token Authentication allows you to do REST API authentication via token. It is a simple, non-complex, and easy to use. This plugin probably is the most convenient way to do JWT Authentication in WordPress.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Support & question: \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fjwt-auth\u002F\" rel=\"ugc\">WordPress support forum\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Reporting plugin’s bug: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub issues tracker\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdiscord.gg\u002FDgECpEg\" rel=\"nofollow ugc\">Discord channel\u003C\u002Fa> also available for faster response.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Upgrading to v3\u003C\u002Fh3>\n\u003Cp>When updating from v2 to v3, familiarise yourself with its changes to ensure that your site continues to work as expected:\u003C\u002Fp>\n\u003Ch4>New: Refresh tokens ([docs](https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth#refreshing-the-access-token))\u003C\u002Fh4>\n\u003Cp>Key changes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Default JWT access token expiry time has been reduced from 7 days to 10 minutes.\u003C\u002Fli>\n\u003Cli>On expiry of a JWT, clients need to retrieve a new access token using the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth#refreshing-the-access-token\" rel=\"nofollow ugc\">refresh token as described here\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>To retain the 7 day expiry time, use the hook \u003Ccode>jwt_auth_expire\u003C\u002Fcode>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Removed Whitelist\u003C\u002Fh4>\n\u003Cp>Key changes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>You no longer need to whitelist REST paths from other plugins with the hook \u003Ccode>jwt_auth_whitelist\u003C\u002Fcode>. You can remove the hook.\u003C\u002Fli>\n\u003Cli>Instead, custom REST API routes should have access requirements specified with the \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002Fextending-the-rest-api\u002Fadding-custom-endpoints\u002F#permissions-callback\" rel=\"nofollow ugc\">permissions callback\u003C\u002Fa> when it is registered.\u003C\u002Fli>\n\u003Cli>This means that if a route requires authentication, any authentication method can be used and this should reduce conflicts between this and other plugins. See \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fpull\u002F60\" rel=\"nofollow ugc\">this discussion\u003C\u002Fa> for further information.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Enable PHP HTTP Authorization Header\u003C\u002Fh3>\n\u003Ch4>Shared Hosts\u003C\u002Fh4>\n\u003Cp>Most shared hosts have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPEngine\u003C\u002Fh4>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following (see \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1\" rel=\"nofollow ugc\">this issue\u003C\u002Fa>):\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Ch4>Configurate the Secret Key\u003C\u002Fh4>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never be revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can use a string from \u003Ca href=\"https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\" rel=\"nofollow ugc\">here\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Configurate CORs Support\u003C\u002Fh4>\n\u003Cp>This plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORs\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable the CORs Support edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, three new \u003Cem>POST\u003C\u002Fem> endpoints are added to this namespace.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\n\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Requesting\u002F Generating Token\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>To generate token, submit a POST request to this endpoint. With \u003Ccode>username\u003C\u002Fcode> and \u003Ccode>password\u003C\u002Fcode> as the parameters.\u003C\u002Fp>\n\u003Cp>It will validates the user credentials, and returns success response including a token if the authentication is correct or returns an error response if the authentication is failed.\u003C\u002Fp>\n\u003Cp>You can use the optional parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to let user manage the device access in your profile. If this parameter is empty, it is ignored.\u003C\u002Fp>\n\u003Ch4>Sample of success response when trying to generate token:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": true,\n \"statusCode\": 200,\n \"code\": \"jwt_auth_valid_credential\",\n \"message\": \"Credential is valid\",\n \"data\": {\n \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvcG9pbnRzLmNvdXZlZS5jby5pZCIsImlhdCI6MTU4ODQ5OTE0OSwibmJmIjoxNTg4NDk5MTQ5LCJleHAiOjE1ODkxMDM5NDksImRhdGEiOnsidXNlciI6eyJpZCI6MX19fQ.w3pf5PslhviHohmiGF-JlPZV00XWE9c2MfvBK7Su9Fw\",\n \"id\": 1,\n \"email\": \"contactjavas@gmail.com\",\n \"nicename\": \"contactjavas\",\n \"firstName\": \"Bagus Javas\",\n \"lastName\": \"Heruyanto\",\n \"displayName\": \"contactjavas\"\n }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of error response when trying to generate token:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"invalid_username\",\n \"message\": \"Unknown username. Try again or check your email address.\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application. It can be:\u003Cbr \u002F>\n– using \u003Cstrong>cookie\u003C\u002Fstrong>\u003Cbr \u002F>\n– or using \u003Cstrong>localstorage\u003C\u002Fstrong>\u003Cbr \u002F>\n– or using a wrapper like \u003Ca href=\"https:\u002F\u002Flocalforage.github.io\u002FlocalForage\u002F\" rel=\"nofollow ugc\">localForage\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fpouchdb.com\u002F\" rel=\"nofollow ugc\">PouchDB\u003C\u002Fa>\u003Cbr \u002F>\n– or using local database like SQLite or \u003Ca href=\"https:\u002F\u002Fdocs.hivedb.dev\u002F#\u002F\" rel=\"nofollow ugc\">Hive\u003C\u002Fa>\u003Cbr \u002F>\n– or your choice based on app you develop 😉\u003C\u002Fp>\n\u003Cp>Then you should pass this token as \u003Cem>Bearer Authentication\u003C\u002Fem> header to every API call. The header format is:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Authorization: Bearer your-generated-token\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>and here’s an example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\"Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvcG9pbnRzLmNvdXZlZS5jby5pZCIsImlhdCI6MTU4ODQ5OTE0OSwibmJmIjoxNTg4NDk5MTQ5LCJleHAiOjE1ODkxMDM5NDksImRhdGEiOnsidXNlciI6eyJpZCI6MX19fQ.w3pf5PslhviHohmiGF-JlPZV00XWE9c2MfvBK7Su9Fw\";\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>jwt-auth\u003C\u002Fstrong> will intercept every call to the server and will look for the authorization header, if the authorization header is present, it will try to decode the token and will set the user according with the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as always.\u003C\u002Fp>\n\u003Ch3>Validating Token\u003C\u002Fh3>\n\u003Cp>You likely \u003Cstrong>don’t need\u003C\u002Fstrong> to validate the token your self. The plugin handle it for you like explained above.\u003C\u002Fp>\n\u003Cp>But if you want to test or validate the token manually, then send a \u003Cstrong>POST\u003C\u002Fstrong> request to this endpoint (don’t forget to set your \u003Cem>Bearer Authorization\u003C\u002Fem> header):\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Valid Token Response:\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": true,\n \"statusCode\": 200,\n \"code\": \"jwt_auth_valid_token\",\n \"message\": \"Token is valid\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Refreshing the Access Token\u003C\u002Fh3>\n\u003Cp>For security reasons, third-party applications that are integrating with your authentication server will not store the user’s username and password. Instead they will store the refresh token in a user-specific storage that is only accessible for the user. The refresh token can be used to re-authenticate as the same user and generate a new access token.\u003C\u002Fp>\n\u003Cp>When authenticating with \u003Ccode>username\u003C\u002Fcode> and \u003Ccode>password\u003C\u002Fcode> as the parameters to \u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fcode>, a refresh token is sent as a cookie in the response.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>To generate new access token using the refresh token, submit a POST request to the token endpoint together with the \u003Ccode>refresh_token\u003C\u002Fcode> cookie.\u003C\u002Fp>\n\u003Cp>Use the optional parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to associate the token with that device.\u003C\u002Fp>\n\u003Cp>If the refresh token is valid, then you receive a new access token in the response.\u003C\u002Fp>\n\u003Cp>By default, each access token expires after 10 minutes.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>To generate new refresh token using the refresh token, submit a POST request to the token refresh endpoint together with the \u003Ccode>refresh_token\u003C\u002Fcode> cookie.\u003C\u002Fp>\n\u003Cp>Use the optional parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to associate the refresh token with that device.\u003C\u002Fp>\n\u003Cp>If the refresh token is valid, then you receive a new refresh token as a cookie in the response.\u003C\u002Fp>\n\u003Cp>By default, each refresh token expires after 30 days.\u003C\u002Fp>\n\u003Ch4>Refresh Token Rotation\u003C\u002Fh4>\n\u003Cp>Whenever you are authenticating afresh or refreshing the refresh token, only the last issued refresh token remains valid. All previously issued refresh tokens can no longer be used.\u003C\u002Fp>\n\u003Cp>This means that a refresh token cannot be shared. To allow multiple devices to authenticate in parallel without losing access after another device re-authenticated, use the parameter \u003Ccode>device\u003C\u002Fcode> with the device identifier to associate the refresh token only with that device.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl -F device=\"abc-def\" -F username=myuser -F password=mypass \u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\n\ncurl -F device=\"abc-def\" -b \"refresh_token=123.abcdef...\" \u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\n\n\ncurl -F device=\"abc-def\" -b \"refresh_token=123.abcdef...\" \u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Errors\u003C\u002Fh3>\n\u003Cp>If the token is invalid an error will be returned. Here are some samples of errors:\u003C\u002Fp>\n\u003Ch4>No Secret Key\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_bad_config\",\n \"message\": \"JWT is not configured properly.\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>No HTTP_AUTHORIZATION Header\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_no_auth_header\",\n \"message\": \"Authorization header not found.\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Iss\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_bad_iss\",\n \"message\": \"The iss do not match with this server.\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Signature\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_invalid_token\",\n \"message\": \"Signature verification failed\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Incomplete Payload\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_bad_request\",\n \"message\": \"User ID not found in the token.\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>User Not Found\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_user_not_found\",\n \"message\": \"User doesn't exist\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Expired Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_invalid_token\",\n \"message\": \"Expired token\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Obsolete Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 403,\n \"code\": \"jwt_auth_obsolete_token\",\n \"message\": \"Token is obsolete\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Refresh Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 401,\n \"code\": \"jwt_auth_invalid_refresh_token\",\n \"message\": \"Invalid refresh token\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Obsolete Refresh Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 401,\n \"code\": \"jwt_auth_obsolete_refresh_token\",\n \"message\": \"Refresh token is obsolete\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Expired Refresh Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n \"success\": false,\n \"statusCode\": 401,\n \"code\": \"jwt_auth_expired_refresh_token\",\n \"message\": \"Refresh token has expired\",\n \"data\": []\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Available Filter Hooks\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>JWT Auth\u003C\u002Fstrong> is developer friendly and has some filters available to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_cors_allow_headers\u003C\u002Fcode> allows you to modify the available headers when the CORs support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'X-Requested-With, Content-Type, Accept, Origin, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the allowed CORS headers.\n *\n * @param string $headers The allowed headers.\n * @return string The allowed headers.\n *\u002F\nadd_filter(\n 'jwt_auth_cors_allow_headers',\n function ( $headers ) {\n \u002F\u002F Modify the headers here.\n return $headers;\n }\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_iss\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_iss\u003C\u002Fstrong> allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.1\" rel=\"nofollow ugc\">\u003Cstrong>iss\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>get_bloginfo( 'url' )\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token issuer.\n *\n * @param string $iss The token issuer.\n * @return string The token issuer.\n *\u002F\nadd_filter(\n 'jwt_auth_iss',\n function ( $iss ) {\n \u002F\u002F Modify the \"iss\" here.\n return $iss;\n }\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_not_before\u003C\u002Fcode> allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F\u002F Creation time.\ntime()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's nbf value.\n *\n * @param int $not_before The default \"nbf\" value in timestamp.\n * @param int $issued_at The \"iat\" value in timestamp.\n *\n * @return int The \"nbf\" value.\n *\u002F\nadd_filter(\n 'jwt_auth_not_before',\n function ( $not_before, $issued_at ) {\n \u002F\u002F Modify the \"not_before\" here.\n return $not_before;\n },\n 10,\n 2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_expire\u003C\u002Fcode> allows you to change the value \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's expire value.\n *\n * @param int $expire The default \"exp\" value in timestamp.\n * @param int $issued_at The \"iat\" value in timestamp.\n *\n * @return int The \"nbf\" value.\n *\u002F\nadd_filter(\n 'jwt_auth_expire',\n function ( $expire, $issued_at ) {\n \u002F\u002F Modify the \"expire\" here.\n return $expire;\n },\n 10,\n 2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_refresh_expire\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_refresh_expire\u003C\u002Fcode> filter hook allows you to change the expiration date of the refresh token.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 30)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the refresh token's expiration time.\n *\n * @param int $expire The default expiration timestamp.\n * @param int $issued_at The current time.\n *\n * @return int The custom refresh token expiration timestamp.\n *\u002F\nadd_filter(\n 'jwt_auth_refresh_expire',\n function ( $expire, $issued_at ) {\n \u002F\u002F Modify the \"expire\" here.\n return $expire;\n },\n 10,\n 2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_alg\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_alg\u003C\u002Fcode> allows you to change the supported signing \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-jose-json-web-algorithms-40\" rel=\"nofollow ugc\">algorithm\u003C\u002Fa> for your application.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'HS256'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's signing algorithm.\n *\n * @param string $alg The default supported signing algorithm.\n * @return string The supported signing algorithm.\n *\u002F\nadd_filter(\n 'jwt_auth_alg',\n function ( $alg ) {\n \u002F\u002F Change the signing algorithm here.\n return $alg;\n }\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_payload\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_payload\u003C\u002Fcode> allows you to modify all the payload \u002F token data before being encoded and signed.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n$token = array(\n 'iss' => get_bloginfo('url'),\n 'iat' => $issued_at,\n 'nbf' => $not_before,\n 'exp' => $expire,\n 'data' => array(\n 'user' => array(\n 'id' => $user->ID,\n )\n )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the payload\u002F token's data before being encoded & signed.\n *\n * @param array $payload The default payload\n * @param WP_User $user The authenticated user.\n * .\n * @return array The payload\u002F token's data.\n *\u002F\nadd_filter(\n 'jwt_auth_payload',\n function ( $payload, $user ) {\n \u002F\u002F Modify the payload here.\n return $payload;\n },\n 10,\n 2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_valid_credential_response\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>jwt_auth_valid_credential_response\u003C\u002Fcode> allows you to modify the valid credential response when generating a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n$response = array(\n 'success' => true,\n 'statusCode' => 200,\n 'code' => 'jwt_auth_valid_credential',\n 'message' => __( 'Credential is valid', 'jwt-auth' ),\n 'data' => array(\n 'token' => $token,\n 'id' => $user->ID,\n 'email' => $user->user_email,\n 'nicename' => $user->user_nicename,\n 'firstName' => $user->first_name,\n 'lastName' => $user->last_name,\n 'displayName' => $user->display_name,\n ),\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the response of valid credential.\n *\n * @param array $response The default valid credential response.\n * @param WP_User $user The authenticated user.\n * .\n * @return array The valid credential response.\n *\u002F\nadd_filter(\n 'jwt_auth_valid_credential_response',\n function ( $response, $user ) {\n \u002F\u002F Modify the response here.\n return $response;\n },\n 10,\n 2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>jwt_auth_valid_token_response\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>jwt_auth_valid_token_response\u003C\u002Fstrong> allows you to modify the valid token response when validating a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C?php\n$response = array(\n 'success' => true,\n 'statusCode' => 200,\n 'code' => 'jwt_auth_valid_token',\n 'message' => __( 'Token is valid', 'jwt-auth' ),\n 'data' => array(),\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the response of valid token.\n *\n * @param array $response The default valid token response.\n * @param WP_User $user The authenticated user.\n * @param string $token The raw token.\n * @param array $payload The token data.\n * .\n * @return array The valid token response.\n *\u002F\nadd_filter(\n 'jwt_auth_valid_token_response',\n function ( $response, $user, $token, $payload ) {\n \u002F\u002F Modify the response here.\n return $response;\n },\n 10,\n 4\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>jwt_auth_extra_token_check\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>jwt_auth_extra_token_check\u003C\u002Fstrong> allows you to add extra criterias to validate the token. If empty, has no problem to proceed. Use empty value to bypass the filter. Any other value will block the token access and returns response with code \u003Ccode>jwt_auth_obsolete_token\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>''\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the validation of token. No-empty values block token validation.\n *\n * @param array $response An empty value ''.\n * @param WP_User $user The authenticated user.\n * @param string $token The raw token.\n * @param array $payload The token data.\n * .\n * @return array The valid token response.\n *\u002F\nadd_filter(\n 'jwt_auth_extra_token_check',\n function ( $response, $user, $token, $payload ) {\n \u002F\u002F Modify the response here.\n return $response;\n },\n 10,\n 4\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffirebase\u002Fphp-jwt\" rel=\"nofollow ugc\">PHP-JWT from firebase\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fjwt-authentication-for-wp-rest-api\u002F\" rel=\"ugc\">JWT Authentication for WP REST API\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fpesseba\" rel=\"nofollow ugc\">Devices utility by pesseba\u003C\u002Fa>\u003Cbr \u002F>\nThe \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fcollaborators\" rel=\"nofollow ugc\">awesome maintainers\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth\u002Fgraphs\u002Fcontributors\" rel=\"nofollow ugc\">contributors\u003C\u002Fa>\u003C\u002Fp>\n","Create JSON Web Token Authentication in WordPress.",6000,109875,22,"2024-05-07T21:38:00.000Z","6.5.8","5.2","7.2",[142,19,127,143],"json-web-token","token-authentication","https:\u002F\u002Fgithub.com\u002Fusefulteam\u002Fjwt-auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-auth.zip",83,1,"2022-11-11 00:00:00",{"attackSurface":150,"codeSignals":177,"taintFlows":231,"riskAssessment":232,"analyzedAt":242},{"hooks":151,"ajaxHandlers":173,"restRoutes":174,"shortcodes":175,"cronEvents":176,"entryPointCount":11,"unprotectedCount":11},[152,158,165,169],{"type":153,"name":154,"callback":155,"priority":147,"file":156,"line":157},"filter","mailpoet_newsletter_shortcode","simple_jwt_login_mailpoet_shortcode","mailpoet.php",9,{"type":159,"name":160,"callback":161,"priority":162,"file":163,"line":164},"action","admin_menu","simple_jwt_login__mailpoet_plugin_create_menu_entry",11,"simple-jwt-login-mailpoet.php",13,{"type":159,"name":166,"callback":167,"file":163,"line":168},"admin_notices","simple_jwt_login_plugin_missing_notice",15,{"type":159,"name":170,"callback":171,"file":163,"line":172},"plugins_loaded","simple_jwt_login_mail_poet_load_translations",37,[],[],[],[],{"dangerousFunctions":178,"sqlUsage":179,"outputEscaping":181,"fileOperations":11,"externalRequests":11,"nonceChecks":11,"capabilityChecks":11,"bundledLibraries":230},[],{"prepared":11,"raw":11,"locations":180},[],{"escaped":11,"rawEcho":182,"locations":183},24,[184,187,189,190,192,194,196,198,200,202,204,206,207,208,210,212,214,216,218,220,222,224,226,228],{"file":163,"line":185,"context":186},20,"raw output",{"file":188,"line":136,"context":186},"views\\layout.php",{"file":188,"line":172,"context":186},{"file":188,"line":191,"context":186},43,{"file":188,"line":193,"context":186},45,{"file":188,"line":195,"context":186},48,{"file":188,"line":197,"context":186},60,{"file":188,"line":199,"context":186},72,{"file":188,"line":201,"context":186},75,{"file":188,"line":203,"context":186},86,{"file":188,"line":205,"context":186},89,{"file":188,"line":34,"context":186},{"file":188,"line":25,"context":186},{"file":188,"line":209,"context":186},103,{"file":188,"line":211,"context":186},113,{"file":188,"line":213,"context":186},115,{"file":188,"line":215,"context":186},118,{"file":188,"line":217,"context":186},127,{"file":188,"line":219,"context":186},130,{"file":188,"line":221,"context":186},139,{"file":188,"line":223,"context":186},142,{"file":188,"line":225,"context":186},155,{"file":188,"line":227,"context":186},159,{"file":188,"line":229,"context":186},167,[],[],{"summary":233,"deductions":234},"The \"simple-jwt-login-mailpoet\" v1.0.2 plugin presents a mixed security posture. On the positive side, the static analysis indicates a lack of identified attack surface points (AJAX, REST API, shortcodes, cron), no dangerous functions, and all SQL queries utilizing prepared statements. The vulnerability history is also clean, with no recorded CVEs, suggesting a stable and potentially well-maintained codebase in terms of known external threats. However, a significant concern arises from the output escaping. With 24 total outputs and 0% properly escaped, this opens the door to potential Cross-Site Scripting (XSS) vulnerabilities. Any user-supplied data that is not correctly sanitized before being displayed to users could be exploited by attackers. The absence of nonce checks and capability checks on entry points, although the entry points themselves are reported as zero, is a point of caution. If any new entry points were to be introduced or if the initial analysis missed something, this could lead to significant security risks. The lack of taint analysis results is also noteworthy; it's unclear if this is because no flows were analyzed or if no potentially malicious flows were detected. Overall, while the plugin shows good practices in terms of SQL and a clean vulnerability history, the critical lack of output escaping is a substantial weakness that requires immediate attention.",[235,237,240],{"reason":236,"points":168},"0% of outputs properly escaped",{"reason":238,"points":239},"No nonce checks present",5,{"reason":241,"points":239},"No capability checks present","2026-03-17T06:41:35.752Z",{"wat":244,"direct":253},{"assetPaths":245,"generatorPatterns":248,"scriptPaths":249,"versionParams":250},[246,247],"\u002Fwp-content\u002Fplugins\u002Fsimple-jwt-login-mailpoet\u002Fassets\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fsimple-jwt-login-mailpoet\u002Fassets\u002Fjs\u002Fscripts.js",[],[247],[251,252],"simple-jwt-login-mailpoet\u002Fassets\u002Fcss\u002Fstyle.css?ver=","simple-jwt-login-mailpoet\u002Fassets\u002Fjs\u002Fscripts.js?ver=",{"cssClasses":254,"htmlComments":255,"htmlAttributes":256,"restEndpoints":257,"jsGlobals":258,"shortcodeOutput":259},[],[],[],[],[],[],{"error":261,"url":262,"statusCode":263,"statusMessage":264,"message":264},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fsimple-jwt-login-mailpoet\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":266,"versions":267},6,[268,274,281,288,295,302],{"version":6,"download_url":24,"svn_tag_url":269,"released_at":26,"has_diff":270,"diff_files_changed":271,"diff_lines":26,"trac_diff_url":272,"vulnerabilities":273,"is_current":261},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login-mailpoet\u002Ftags\u002F1.0.3\u002F",false,[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login-mailpoet%2Ftags%2F1.0.2&new_path=%2Fsimple-jwt-login-mailpoet%2Ftags%2F1.0.3",[],{"version":275,"download_url":276,"svn_tag_url":277,"released_at":26,"has_diff":270,"diff_files_changed":278,"diff_lines":26,"trac_diff_url":279,"vulnerabilities":280,"is_current":270},"1.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login-mailpoet.1.0.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login-mailpoet\u002Ftags\u002F1.0.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login-mailpoet%2Ftags%2F1.0.1&new_path=%2Fsimple-jwt-login-mailpoet%2Ftags%2F1.0.2",[],{"version":282,"download_url":283,"svn_tag_url":284,"released_at":26,"has_diff":270,"diff_files_changed":285,"diff_lines":26,"trac_diff_url":286,"vulnerabilities":287,"is_current":270},"1.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login-mailpoet.1.0.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login-mailpoet\u002Ftags\u002F1.0.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login-mailpoet%2Ftags%2F1.0.0&new_path=%2Fsimple-jwt-login-mailpoet%2Ftags%2F1.0.1",[],{"version":289,"download_url":290,"svn_tag_url":291,"released_at":26,"has_diff":270,"diff_files_changed":292,"diff_lines":26,"trac_diff_url":293,"vulnerabilities":294,"is_current":270},"1.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login-mailpoet.1.0.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login-mailpoet\u002Ftags\u002F1.0.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login-mailpoet%2Ftags%2F0.1.1&new_path=%2Fsimple-jwt-login-mailpoet%2Ftags%2F1.0.0",[],{"version":296,"download_url":297,"svn_tag_url":298,"released_at":26,"has_diff":270,"diff_files_changed":299,"diff_lines":26,"trac_diff_url":300,"vulnerabilities":301,"is_current":270},"0.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login-mailpoet.0.1.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login-mailpoet\u002Ftags\u002F0.1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login-mailpoet%2Ftags%2F0.1.0&new_path=%2Fsimple-jwt-login-mailpoet%2Ftags%2F0.1.1",[],{"version":303,"download_url":304,"svn_tag_url":305,"released_at":26,"has_diff":270,"diff_files_changed":306,"diff_lines":26,"trac_diff_url":26,"vulnerabilities":307,"is_current":270},"0.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login-mailpoet.0.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login-mailpoet\u002Ftags\u002F0.1.0\u002F",[],[]]