[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fecbtaC3biQF2fmRWa7Oaolu8bU4Tpxi64xmCJ7GMwDU":3,"$f-zStq9uDawtsDeBSH63RF4PHR1tB4SXQ5fcZj8xPI68":985,"$fmaYm2QVo8q1RCXOboO7s0IClU28mR2FBGt6BLHI5Zqc":989},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"discovery_status":32,"vulnerabilities":33,"developer":83,"crawl_stats":39,"alternatives":90,"analysis":191,"fingerprints":956},"simple-jwt-login","Simple JWT Login – Allows you to use JWT on REST endpoints.","3.6.5","Nicu Micle","https:\u002F\u002Fprofiles.wordpress.org\u002Fnicu_m\u002F","\u003Cp>Simple JWT Login is a \u003Cstrong>FREE\u003C\u002Fstrong> WordPress plugin that enables secure authentication for your WordPress REST API using \u003Cstrong>JSON Web Tokens\u003C\u002Fstrong> (JWT).\u003C\u002Fp>\n\u003Cp>With this powerful plugin, you can:\u003Cbr \u002F>\n– Log in, register, and authenticate users effortlessly\u003Cbr \u002F>\n– Connect mobile apps, external websites, or third-party services to WordPress with ease\u003Cbr \u002F>\n– Change or delete user passwords securely\u003C\u002Fp>\n\u003Cp>Whether you’re building a headless WordPress setup or integrating with external platforms, Simple JWT Login provides a fast, secure, and reliable authentication solution.\u003C\u002Fp>\n\u003Cp>You can read more on our plugin documentation website \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\" rel=\"nofollow ugc\">https:\u002F\u002Fsimplejwtlogin.com\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Some awesome features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Auto-login using JWT and AUTH_KEY\u003C\u002Fli>\n\u003Cli>Register new users via API\u003C\u002Fli>\n\u003Cli>Delete WordPress users based on a JWT\u003C\u002Fli>\n\u003Cli>Reset user password\u003C\u002Fli>\n\u003Cli>Allow auto-login \u002F register \u002F delete users only from specific IP addresses\u003C\u002Fli>\n\u003Cli>Allow register users only from a specific domain name\u003C\u002Fli>\n\u003Cli>API Route for generating new JWT\u003C\u002Fli>\n\u003Cli>Get JWT from URL, SESSION, COOKIE or HEADER\u003C\u002Fli>\n\u003Cli>Pass request parameters to login URL\u003C\u002Fli>\n\u003Cli>CORS settings for plugin Routes\u003C\u002Fli>\n\u003Cli>Hooks\u003C\u002Fli>\n\u003Cli>JWT Authentication\u003C\u002Fli>\n\u003Cli>Allow access private endpoints with JWT\u003C\u002Fli>\n\u003Cli>Protect endpoints with JWT\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> Google OAuth Integration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> Google JWT on all endpoints\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-graphql\u002F\" rel=\"ugc\">WPGraphQL\u003C\u002Fa> integration\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Check the plugin \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\" rel=\"nofollow ugc\">website\u003C\u002Fa> for more features.\u003C\u002Fp>\n\u003Ch3>Login User\u003C\u002Fh3>\n\u003Cp>This plugin is customizable and offers you multiple methods to log in to you website, based on multiple scenarios.\u003C\u002Fp>\n\u003Cp>In order to login, users have to send JWT. The plugin, validates the JWT, and if everything is OK, it can extract the WordPress email address or user ID.\u003Cbr \u002F>\nUsers can specify the exact key of the JWT payload where this information can be found.\u003C\u002Fp>\n\u003Cp>Here are the methods how you can send the JWT in order to auto-login:\u003C\u002Fp>\n\u003Col>\n\u003Cli>URL\u003C\u002Fli>\n\u003Cli>Header\u003C\u002Fli>\n\u003Cli>Cookie\u003C\u002Fli>\n\u003Cli>Session\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>If the JWT is present in multiple places ( like URL and Header), the JWT will be overwritten.\u003C\u002Fp>\n\u003Cp>This plugin supports multiple JWT Decryption algorithms, like: HS256, HS512, HS384, RS256,RS384 and RS512.\u003C\u002Fp>\n\u003Cp>After the user is logged in you can automatically redirect the user to a page like:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Dashboard\u003C\u002Fli>\n\u003Cli>Homepage\u003C\u002Fli>\n\u003Cli>or any other custom Page ( this is mainly used for redirecting users to a landing page)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can attach to your redirect a URL parameter \u003Ccode>redirectUrl\u003C\u002Fcode> that will be used for redirect instead of the defined ones.\u003Cbr \u002F>\nIn order to use this, you have to enable it by checking the option \u003Ccode>Allow redirect to a specific URL\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>Also, redirect after login offers some variables that you can use in the customURL and redirectUrl.\u003Cbr \u002F>\nHere are the variables which you can use in your URL:\u003Cbr \u002F>\n– \u003Ccode>{{site_url}}\u003C\u002Fcode> : Site URL\u003Cbr \u002F>\n– \u003Ccode>{{user_id}}\u003C\u002Fcode> : Logged in user ID\u003Cbr \u002F>\n– \u003Ccode>{{user_email}}\u003C\u002Fcode> : Logged in user email\u003Cbr \u002F>\n– \u003Ccode>{{user_login}}\u003C\u002Fcode> : Logged in username\u003Cbr \u002F>\n– \u003Ccode>{{user_first_name}}\u003C\u002Fcode> : User first name\u003Cbr \u002F>\n– \u003Ccode>{{user_last_name}}\u003C\u002Fcode> : User last name\u003Cbr \u002F>\n– \u003Ccode>{{user_nicename}}\u003C\u002Fcode> : User nice name\u003C\u002Fp>\n\u003Cp>You can generate dynamic URLs with these variables, and, before the redirect, the specific value will be replaced.\u003C\u002Fp>\n\u003Cp>Here is an example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>http:\u002F\u002Fyourdomain.com?param1={{user_id}}&param2={{user_login}}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, this plugin allows you to limit the auto-login based on the client IP address.\u003Cbr \u002F>\nIf you are concerned about security, you can limit the auto-login only from some IP addresses.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fautologin\u002F\" rel=\"nofollow ugc\">Read more\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Register Users\u003C\u002Fh3>\n\u003Cp>This plugin also allows you to create WordPress users.\u003C\u002Fp>\n\u003Cp>This option is disabled by default, but you can enable it at any time.\u003C\u002Fp>\n\u003Cp>In order to create users, you just have to make a POST request to the route URL, and send an \u003Cem>email\u003C\u002Fem> and a \u003Cem>password\u003C\u002Fem> as parameter and the new user will be created.\u003C\u002Fp>\n\u003Cp>You can select the type for the new users: editor, author, contributor, subscriber, etc.\u003C\u002Fp>\n\u003Cp>Also, you can limit the user creating only for specific IP addresses, or  specific email domains.\u003C\u002Fp>\n\u003Cp>Another cool option is “Generate a random password when a new user is created”.\u003Cbr \u002F>\nIf this option is selected, the password is no more required when a new user is created a random password will be generated.\u003C\u002Fp>\n\u003Cp>Another option that you have for register user is “Initialize force login after register”.\u003Cbr \u002F>\nWhen the user registration is completed, the user will continue on the flow configured on login config.\u003C\u002Fp>\n\u003Cp>If auto-login is disabled, this feature will not work and the register user will go on a normal flow and return a json response.\u003C\u002Fp>\n\u003Cp>If you want to add custom user_meta on user creation, just add the parameter \u003Ccode>user_meta\u003C\u002Fcode> with a json. This will create user_meta for the new user.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n    \"meta_key\":\"meta_value\",\n    \"meta_key2\":\"meta_value\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>These properties can be passed in the request when the new user is created.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>email\u003C\u002Fstrong> : (required) (string)  The user email address.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>password\u003C\u002Fstrong> :  (required) (string) The plain-text user password.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_login\u003C\u002Fstrong> : (string) The user’s login username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_nicename\u003C\u002Fstrong> : (string) The URL-friendly username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_url\u003C\u002Fstrong> : (string) The user URL.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>display_name\u003C\u002Fstrong> : (string) The user’s display name. Default is the user’s username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>nickname\u003C\u002Fstrong> : (string) The user’s nickname. Default is the user’s username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>first_name\u003C\u002Fstrong> : (string) The user’s first name. For new users, will be used to build the first part of the user’s display name if $display_name is not specified.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>last_name\u003C\u002Fstrong> : (string) The user’s last name. For new users, will be used to build the second part of the user’s display name if $display_name is not specified.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>description\u003C\u002Fstrong> : (string) The user’s biographical description.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>rich_editing\u003C\u002Fstrong> : (string) Whether to enable the rich-editor for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>syntax_highlighting\u003C\u002Fstrong> : (string) Whether to enable the rich code editor for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>comment_shortcuts\u003C\u002Fstrong> : (string) Whether to enable comment moderation keyboard shortcuts for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘false’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>admin_color\u003C\u002Fstrong> : (string) Admin color scheme for the user. Default ‘fresh’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>use_ssl\u003C\u002Fstrong> : (bool) Whether the user should always access the admin over https. Default false.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_registered\u003C\u002Fstrong> : (string) Date the user registered. Format is \u003Ccode>Y-m-d H:m:s\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_activation_key\u003C\u002Fstrong> : (string) Password reset key. Default empty.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>spam\u003C\u002Fstrong> : (bool) Multisite only. Whether the user is marked as spam. Default false.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>show_admin_bar_front\u003C\u002Fstrong> : (string) Whether to display the Admin Bar for the user on the site’s front end. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>locale\u003C\u002Fstrong> : (string) User’s locale. Default empty.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fregister-user\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Delete User\u003C\u002Fh3>\n\u003Cp>Delete user it is disabled by default.\u003C\u002Fp>\n\u003Cp>In order to delete a user, you have to configure where to search the details in the JWT.\u003Cbr \u002F>\nYou can delete users by WordPress User ID or by Email address.\u003C\u002Fp>\n\u003Cp>Also, you have to choose the JWT parameter key where email or user ID it is stored in the JWT.\u003C\u002Fp>\n\u003Cp>Also, you can limit the deletion of users to specific IP addresses for security reasons.\u003C\u002Fp>\n\u003Ch3>Reset Password\u003C\u002Fh3>\n\u003Cp>Reset password and change password endpoints are disabled by default.\u003C\u002Fp>\n\u003Cp>This plugin allows you to send the reset password endpoint, just by calling an endpoint. An email with the code will be sent to a specific email address.\u003C\u002Fp>\n\u003Cp>Also, you are able to customize this email, or even not send at email at all.\u003C\u002Fp>\n\u003Cp>The change password endpoint, changes the user password, based on the reset password code.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fdelete-user\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Authentication\u003C\u002Fh3>\n\u003Cp>This plugin allows users to generate JWT tokens based from WordPress user email and password.\u003C\u002Fp>\n\u003Cp>In order to Get a new JWT, just make a POST request to \u003Cem>\u002Fauth\u003C\u002Fem> route with your WordPress email(or username) and password ( or password_hash) and the response will look something like this:\u003C\u002Fp>\n\u003Cpre>\u003Ccode> {\n     \"success\": true,\n     \"data\": {\n         \"jwt\": \"NEW_GENERATED_JWT_HERE\"\n     }\n }\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If you want to add extra parameters in the JWT payload, just send the parameter \u003Ccode>payload\u003C\u002Fcode> on \u003Ccode>\u002Fauth\u003C\u002Fcode> endpoint, and add a json with the values you want to be added in the payload.\u003C\u002Fp>\n\u003Cp>At some point, the JWT will expire.\u003Cbr \u002F>\nSo, if you want to renew it without having to ask again for user and password, you will have to make a POST request to the \u003Cem>auth\u002Frefresh\u003C\u002Fem> route.\u003C\u002Fp>\n\u003Cp>This will generate a response with a new JWT, similar to the one that \u003Ccode>\u002Fauth\u003C\u002Fcode> generates.\u003C\u002Fp>\n\u003Cp>If you want to get some details about a JWT, and validate that JWT, you can call \u003Ccode>\u002Fauth\u002Fvalidate\u003C\u002Fcode>. If you have a valid JWT, details about the available WordPress user will be returned, and some JWT details.\u003C\u002Fp>\n\u003Cp>If you want to revoke a JWT, access \u003Ccode>\u002Fauth\u002Frevoke\u003C\u002Fcode> and send the \u003Ccode>jwt\u003C\u002Fcode> as a parameter.\u003C\u002Fp>\n\u003Cp>The plugin auto-generates the example URL you might need to test these scenarios.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fauthentication\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Auth codes\u003C\u002Fh3>\n\u003Cp>Auth codes are optional, but you can enable them for Auto-login, Register User and Delete user.\u003C\u002Fp>\n\u003Cp>This feature allows you to add a layer of protection to your API routes.\u003C\u002Fp>\n\u003Cp>The Auth codes contains 3 parts:\u003Cbr \u002F>\n1. Authentication Key: This is the actual code that you have to add in the request.\u003Cbr \u002F>\n2. WordPress new User Role: can be used when you want to create multiple user types with the create user endpoint. If you leave it blank, the value configured in the ‘Register Settings’ will be used.\u003Cbr \u002F>\n3. Expiration Date: This allows you to set an expiration date for you auth codes. The format is `Y-M-D H:m:s’. Example : 2020-12-24 23:00:00. If you leave it blank, it will never expire.\u003C\u002Fp>\n\u003Cp>Expiration date format: year-month-day hours:minutes:seconds\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fauth-codes\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Hooks\u003C\u002Fh3>\n\u003Cp>This plugin allows advanced users to link some hooks with the plugin and perform some custom scripts.\u003Cbr \u002F>\nSome available hooks:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_login_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user\u003C\u002Fli>\n\u003Cli>description: This hook it is called after the user has been logged in. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_redirect_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: string $url, array $request\u003C\u002Fli>\n\u003Cli>description: This hook it is called before the user it will be redirected to the page he specified in the login section. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_register_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user, string $plain_text_password\u003C\u002Fli>\n\u003Cli>description: This hook it is called after a new user has been created.  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_delete_user_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user\u003C\u002Fli>\n\u003Cli>description: This hook it is called right after the user has been deleted.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_jwt_payload_auth\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: array $payload, array $request\u003C\u002Fli>\n\u003Cli>return: array $payload\u003C\u002Fli>\n\u003Cli>description: This hook is called on \u002Fauth endpoint. Here you can modify payload parameters. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_no_redirect_message\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: array $payload, array $request\u003C\u002Fli>\n\u003Cli>return: array $payload\u003C\u002Fli>\n\u003Cli>description: This hook is called on \u002Fautologin endpoint when the option \u003Ccode>No Redirect\u003C\u002Fcode> is selected. You can customize the message and add parameters.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_reset_password_custom_email_template\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: string $template, array $request\u003C\u002Fli>\n\u003Cli>return: string $template\u003C\u002Fli>\n\u003Cli>description: This is executed when POST \u002Fuser\u002Freset_password is called. It will replace the email template that has been added in Reset Password settings  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>View full list of hooks on \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fhooks\" rel=\"nofollow ugc\">https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fhooks\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>CORS\u003C\u002Fh3>\n\u003Cp>The CORS standard it is needed because it allows servers to specify who can access its assets and how the assets can be accessed.\u003Cbr \u002F>\nCross-origin requests are made using the standard HTTP request methods like GET, POST, PUT, DELETE, etc.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fcors\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Protect endpoints\u003C\u002Fh3>\n\u003Cp>This option is disabled by default. In order to enable it, you need to set “Protect endpoints enabled” to true.\u003C\u002Fp>\n\u003Cp>This feature comes with 2 actions:\u003Cbr \u002F>\n– Apply on All REST Endpoints\u003Cbr \u002F>\n– Apply only on specific REST endpoints\u003C\u002Fp>\n\u003Cp>When you choose \u003Ccode>Apply on All REST Endpoints\u003C\u002Fcode>, you will be able to whitelist some endpoints from your WordPress REST by adding them to the whitelist section.\u003Cbr \u002F>\nFor example, If you only want to allow users to access the \u003Ccode>wp\u002Fv2\u002Fposts\u003C\u002Fcode> endpoint without having to provide the JWT, you save in the whitelist section \u003Ccode>wp\u002Fv2\u002Fposts\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>When you choose \u003Ccode>Apply only on specific endpoints\u003C\u002Fcode>, you will have to add all the endpoints you want to be protected by JWT.\u003C\u002Fp>\n\u003Cp>When an endpoint is protected, and you don’t provide a JWT, you will get the following response:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n   \"success\":false,\n   \"data\":{\n      \"message\":\"Your are not authorized to access this endpoint.\",\n      \"errorCode\":403,\n      \"type\":\"simple-jwt-login-route-protect\"\n   }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fprotect-endpoints\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Integration\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>PHP\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>In order to easily integrate your app\u002Fsite with simple-jwt-login, we have developed a composer package.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>composer require nicumicle\u002Fsimple-jwt-login-client-php\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can check the \u003Ca href=\"https:\u002F\u002Fpackagist.org\u002Fpackages\u002Fnicumicle\u002Fsimple-jwt-login-client-php\" rel=\"nofollow ugc\">package page\u003C\u002Fa> for more details and code examples.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Javascript\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Also, there is a \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsimple-jwt-login\u002Fjs-sdk\" rel=\"nofollow ugc\">Javascript SDK\u003C\u002Fa> that you can install with \u003Ccode>npm\u003C\u002Fcode> or \u003Ccode>yarn\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>npm install \"simple-jwt-login\"\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>or\u003C\u002Fp>\n\u003Cpre>\u003Ccode>yarn add \"simple-jwt-login\"\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Enhance the WordPress REST API with JWT authentication for secure access by mobile apps, external sites, and third-party services.",5000,82994,100,46,"2026-03-14T06:23:00.000Z","6.9.4","4.4.0","5.5",[20,21,22,23,24],"api","auto-login","jwt","register","tokens","https:\u002F\u002Fsimplejwtlogin.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.6.5.zip",94,3,0,"2025-09-22 00:00:00","2026-04-16T10:56:18.058Z","no_bundle",[34,51,68],{"id":35,"url_slug":36,"title":37,"description":38,"plugin_slug":4,"theme_slug":39,"affected_versions":40,"patched_in_version":6,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":30,"updated_date":45,"references":46,"days_to_patch":48,"patch_diff_files":49,"patch_trac_url":39,"research_status":39,"research_verified":50,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":50,"poc_model_used":39,"poc_verification_depth":39},"CVE-2025-58648","simple-jwt-login-authenticated-contributor-stored-cross-site-scripting","Simple JWT Login \u003C= 3.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Simple JWT Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=3.6.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-17 21:26:01",[47],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F743a52f4-8412-4fc6-a1f2-e21711394b75?source=api-prod",177,[],false,{"id":52,"url_slug":53,"title":54,"description":55,"plugin_slug":4,"theme_slug":39,"affected_versions":56,"patched_in_version":57,"severity":58,"cvss_score":59,"cvss_vector":60,"vuln_type":61,"published_date":62,"updated_date":63,"references":64,"days_to_patch":66,"patch_diff_files":67,"patch_trac_url":39,"research_status":39,"research_verified":50,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":50,"poc_model_used":39,"poc_verification_depth":39},"CVE-2021-24804","simple-jwt-login-cross-site-request-forgery","Simple JWT Login \u003C= 3.2.0 - Cross-Site Request Forgery","The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover.","\u003C3.2.1","3.2.1","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Cross-Site Request Forgery (CSRF)","2021-10-18 00:00:00","2024-01-22 19:56:02",[65],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff89ba641-6c78-48d3-8826-96576198274f?source=api-prod",827,[],{"id":69,"url_slug":70,"title":71,"description":72,"plugin_slug":4,"theme_slug":39,"affected_versions":73,"patched_in_version":74,"severity":58,"cvss_score":75,"cvss_vector":76,"vuln_type":77,"published_date":78,"updated_date":63,"references":79,"days_to_patch":81,"patch_diff_files":82,"patch_trac_url":39,"research_status":39,"research_verified":50,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":50,"poc_model_used":39,"poc_verification_depth":39},"CVE-2021-24998","simple-jwt-login-insecure-password-creation","Simple JWT Login \u003C= 3.2.1 - Insecure Password Creation","The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that \"does not generate cryptographically secure values, and should not be used for cryptographic purposes\" according to PHP's documentation.","\u003C3.3.0","3.3.0",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","Inadequate Encryption Strength","2021-10-13 00:00:00",[80],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdefd82dd-bda0-4f0c-88cb-4db983953097?source=api-prod",832,[],{"slug":84,"display_name":7,"profile_url":8,"plugin_count":85,"total_installs":11,"avg_security_score":86,"avg_patch_time_days":87,"trust_score":88,"computed_at":89},"nicu_m",2,97,612,77,"2026-05-19T23:10:50.349Z",[91,113,130,151,173],{"slug":92,"name":93,"version":94,"author":95,"author_profile":96,"description":97,"short_description":98,"active_installs":99,"downloaded":100,"rating":13,"num_ratings":101,"last_updated":102,"tested_up_to":16,"requires_at_least":103,"requires_php":104,"tags":105,"homepage":109,"download_link":110,"security_score":13,"vuln_count":111,"unpatched_count":29,"last_vuln_date":112,"fetched_at":31},"api-bearer-auth","API Bearer Auth","20200916","michielve","https:\u002F\u002Fprofiles.wordpress.org\u002Fmichielve\u002F","\u003Cp>The API Bearer Auth plugin enables authentication for the REST API by using JWT access an refresh tokens. After the user logs in, the access and refresh tokens are returned and can be used for the next requests. Issued tokens can be revoked from within the users admin screen. See below for the endpoints.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note that after activating this plugin, all REST API endpoints will need to be authenticated, unless the endpoint is whitelisted in the \u003Ccode>api_bearer_auth_unauthenticated_urls\u003C\u002Fcode> filter (see FAQ for how to use this filter).\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch4>JWT\u003C\u002Fh4>\n\u003Cp>Access tokens can be formatted as JWT tokens. For this to work, you first have to create a secret and add it to the wp-config.php file. If you don’t do this, access tokens will work also, but are just random strings. To create a random secret key, you can do for example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>base64_encode(openssl_random_pseudo_bytes(64));\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>And then add the result to wp-config:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('API_BEARER_JWT_SECRET', 'mysecretkey');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If you have problems, you can verify your JWT tokens at: \u003Ca href=\"https:\u002F\u002Fjwt.io\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fjwt.io\u002F\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Revoke tokens\u003C\u002Fh4>\n\u003Cp>This plugin adds a column to the users table in de admin where you can see when a token expires. You can also revoke tokens by selection the “Revoke API tokens” from the bulk actions select box.\u003C\u002Fp>\n\u003Ch4>API endpoints\u003C\u002Fh4>\n\u003Cp>Note that all endpoints \u003Cstrong>expect JSON in the POST body\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Login\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Endpoint:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fapi-bearer-auth\u002Fv1\u002Flogin\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Request body:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note: \u003Ccode>client_name\u003C\u002Fcode> is optional. But if you use it, make sure to use it as well for the refresh call!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\"username\": \"my_username\", \"password\": \"my_password\", \"client_name\": \"my_app\"}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Response:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"wp_user\": {\n    \"data\": {\n      \"ID\": 1,\n      \"user_login\": \"your_user_login\",\n      \u002F\u002F other default WordPress user fields\n    }\n  },\n  \"access_token\": \"your_access_token\",\n  \"expires_in\": 86400, \u002F\u002F number of seconds\n  \"refresh_token\": \"your_refresh_token\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Make sure to save the access and refresh token!\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Refresh access token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Endpoint:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fapi-bearer-auth\u002Fv1\u002Ftokens\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Request body:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note: \u003Ccode>client_name\u003C\u002Fcode> is optional. But if you did use it for the login call, make sure to use it here as well!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\"token\": \"your_refresh_token\", \"client_name\": \"my_app\"}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Response success:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"access_token\": \"your_new_access_token\",\n  \"expires_in\": 86400\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Response when sending a wrong refresh token is a 401:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"api_api_bearer_auth_error_invalid_token\",\n  \"message\": \"Invalid token.\",\n  \"data\": {\n    \"status\": 401\n  }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Do a request\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>After you have the access token, you can make requests to authenticated endpoints  with an Authorization header like this:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Authorization: Bearer \u003Cyour_access_token>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Note that Apache sometimes strips out the Authorization header. If this is the case, make sure to add this to the .htaccess file:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteCond %{HTTP:Authorization} ^(.*)\n# Don't know why, but some need the line below instead of the RewriteRule line\n# SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If you are not logged in or you send an invalid access token, you get a 401 response:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"api_bearer_auth_not_logged_in\",\n  \"message\": \"You are not logged in.\",\n  \"data\": {\n    \"status\": 401\n  }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Important update\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Update immediately if you’re using a version below 20200807. Before this version all access tokens were updated when calling the refresh callback.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>If you are affected by this the fastest solution is to execute this query:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>update wp_user_tokens set access_token_valid = NOW();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>This will invalidate all access tokens. This means that all users need to refresh their access token and will get a new access token and a unique one this time.\u003C\u002Fp>\n\u003Cp>A big thank to @harchvertelol for reporting this and suggesting the fix as well!\u003C\u002Fp>\n","Access and refresh tokens based authentication plugin for the REST API.",300,23631,6,"2025-12-08T09:52:00.000Z","4.6","5.4.0",[20,106,22,107,108],"authentication","jwt-tokens","rest-api","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fapi-bearer-auth.zip",1,"2019-09-05 00:00:00",{"slug":114,"name":115,"version":116,"author":117,"author_profile":118,"description":119,"short_description":120,"active_installs":29,"downloaded":121,"rating":29,"num_ratings":29,"last_updated":109,"tested_up_to":122,"requires_at_least":123,"requires_php":124,"tags":125,"homepage":127,"download_link":128,"security_score":13,"vuln_count":29,"unpatched_count":29,"last_vuln_date":39,"fetched_at":129},"juanma-jwt-auth-pro","JuanMa JWT Auth Pro","1.2.1","JuanMa Garrido","https:\u002F\u002Fprofiles.wordpress.org\u002Fjuanmaguitar\u002F","\u003Cp>Unlike basic JWT plugins that use \u003Cstrong>single long-lived tokens\u003C\u002Fstrong>, JWT Auth Pro implements \u003Cstrong>modern OAuth 2.0 security best practices\u003C\u002Fstrong> with short-lived access tokens and secure refresh tokens.\u003C\u002Fp>\n\u003Ch4>Why JWT Auth Pro?\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>The Problem with Basic JWT Plugins:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Long-lived tokens (24h+) = Higher security risk\u003Cbr \u002F>\n* No refresh mechanism = Tokens live until expiry\u003Cbr \u002F>\n* XSS vulnerable = Tokens stored in localStorage\u003Cbr \u002F>\n* No revocation = Can’t invalidate compromised tokens\u003C\u002Fp>\n\u003Cp>\u003Cstrong>JWT Auth Pro Solution:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Short-lived access tokens (1h default) = Minimal attack window\u003Cbr \u002F>\n* Secure refresh tokens = HTTP-only cookies, XSS protected\u003Cbr \u002F>\n* Automatic token rotation = Fresh tokens on each refresh\u003Cbr \u002F>\n* Complete session control = Revoke any user session instantly\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Simple JWT Authentication\u003C\u002Fstrong> – Clean, stateless token-based auth\u003C\u002Fli>\n\u003Cli>\u003Cstrong>HTTPOnly Refresh Tokens\u003C\u002Fstrong> – Secure refresh tokens in HTTP-only cookies\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Rotation\u003C\u002Fstrong> – Automatic refresh token rotation for enhanced security\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CORS Support\u003C\u002Fstrong> – Proper cross-origin request handling\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Clean Admin Interface\u003C\u002Fstrong> – Simple configuration in WordPress admin\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Friendly\u003C\u002Fstrong> – Clear endpoints and documentation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security Comparison\u003C\u002Fh4>\n\u003Cp>  Feature\u003Cbr \u002F>\n  Basic JWT Plugins\u003Cbr \u002F>\n  JWT Auth Pro\u003C\u002Fp>\n\u003Cp>  Token Lifetime\u003Cbr \u002F>\n  Long (hours\u002Fdays)\u003Cbr \u002F>\n  Short (1 hour)\u003C\u002Fp>\n\u003Cp>  Refresh Tokens\u003Cbr \u002F>\n  None\u003Cbr \u002F>\n  Secure HTTP-only\u003C\u002Fp>\n\u003Cp>  XSS Protection\u003Cbr \u002F>\n  Limited\u003Cbr \u002F>\n  HTTP-only cookies\u003C\u002Fp>\n\u003Cp>  Token Revocation\u003Cbr \u002F>\n  Manual only\u003Cbr \u002F>\n  Automatic rotation\u003C\u002Fp>\n\u003Cp>  Session Management\u003Cbr \u002F>\n  None\u003Cbr \u002F>\n  Database tracking\u003C\u002Fp>\n\u003Cp>  Security Metadata\u003Cbr \u002F>\n  None\u003Cbr \u002F>\n  IP + User Agent\u003C\u002Fp>\n\u003Ch4>Perfect for:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Single Page Applications (React, Vue, Angular)\u003C\u002Fli>\n\u003Cli>Mobile Applications (iOS, Android)\u003C\u002Fli>\n\u003Cli>API Integrations (Third-party services)\u003C\u002Fli>\n\u003Cli>Headless WordPress (Decoupled architecture)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>API Endpoints\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Ftoken\u003C\u002Fcode> – Login and get access token\u003C\u002Fli>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Frefresh\u003C\u002Fcode> – Refresh access token\u003C\u002Fli>\n\u003Cli>\u003Ccode>GET \u002Fwp-json\u002Fjwt\u002Fv1\u002Fverify\u003C\u002Fcode> – Verify token and get user info\u003C\u002Fli>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Flogout\u003C\u002Fcode> – Logout and revoke refresh token\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Stateless Authentication\u003C\u002Fstrong> – JWT tokens contain all necessary information\u003C\u002Fli>\n\u003Cli>\u003Cstrong>HTTPOnly Cookies\u003C\u002Fstrong> – Refresh tokens stored securely, inaccessible to JavaScript\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Rotation\u003C\u002Fstrong> – Refresh tokens automatically rotate on use\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Expiration\u003C\u002Fstrong> – Set custom expiration times\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & User Agent Tracking\u003C\u002Fstrong> – Additional security metadata\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support and documentation, visit: https:\u002F\u002Fgithub.com\u002Fjuanma-wp\u002Fjwt-auth-pro-wp-rest-api\u003C\u002Fp>\n\u003Ch3>Privacy Policy\u003C\u002Fh3>\n\u003Cp>This plugin stores user session data including IP addresses and user agent strings for security purposes. This data is used solely for authentication and security monitoring.\u003C\u002Fp>\n","Modern JWT authentication with refresh tokens - built for SPAs and mobile apps with enterprise-grade security.",124,"6.8.5","5.6","7.4",[106,22,108,126,24],"security","https:\u002F\u002Fgithub.com\u002Fjuanma-wp\u002Fjwt-auth-pro-wp-rest-api","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjuanma-jwt-auth-pro.1.2.1.zip","2026-03-15T10:48:56.248Z",{"slug":131,"name":132,"version":133,"author":134,"author_profile":135,"description":136,"short_description":137,"active_installs":138,"downloaded":139,"rating":140,"num_ratings":141,"last_updated":142,"tested_up_to":16,"requires_at_least":143,"requires_php":144,"tags":145,"homepage":149,"download_link":150,"security_score":13,"vuln_count":29,"unpatched_count":29,"last_vuln_date":39,"fetched_at":31},"jwt-authentication-for-wp-rest-api","JWT Authentication for WP REST API","1.5.0","tmeister","https:\u002F\u002Fprofiles.wordpress.org\u002Ftmeister\u002F","\u003Cp>This plugin seamlessly extends the WP REST API, enabling robust and secure authentication using JSON Web Tokens (JWT). It provides a straightforward way to authenticate users via the REST API, returning a standard JWT upon successful login.\u003C\u002Fp>\n\u003Ch3>Key features of this free version include:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication:\u003C\u002Fstrong> Implements the industry-standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa> for secure claims representation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple Endpoints:\u003C\u002Fstrong> Offers clear \u003Ccode>\u002Ftoken\u003C\u002Fcode> and \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode> endpoints for generating and validating tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Secret Key:\u003C\u002Fstrong> Define your unique secret key via \u003Ccode>wp-config.php\u003C\u002Fcode> for secure token signing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optional CORS Support:\u003C\u002Fstrong> Easily enable Cross-Origin Resource Sharing support via a \u003Ccode>wp-config.php\u003C\u002Fcode> constant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Hooks:\u003C\u002Fstrong> Provides filters (\u003Ccode>jwt_auth_expire\u003C\u002Fcode>, \u003Ccode>jwt_auth_token_before_sign\u003C\u002Fcode>, etc.) for customizing token behavior.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.\u003C\u002Fp>\n\u003Cp>For users requiring more advanced capabilities such as multiple signing algorithms (RS256, ES256), token refresh\u002Frevocation, UI-based configuration, or priority support, consider checking out \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_link_soft\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Support and Requests:\u003C\u002Fstrong> Please use \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub Issues\u003C\u002Fa>. For priority support, consider upgrading to \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=description_support_link\" rel=\"nofollow ugc\">PRO\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>REQUIREMENTS\u003C\u002Fh3>\n\u003Ch4>WP REST API V2\u003C\u002Fh4>\n\u003Cp>This plugin was conceived to extend the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API V2\u003C\u002Fa> plugin features and, of course, was built on top of it.\u003C\u002Fp>\n\u003Cp>So, to use the \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> you need to install and activate \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWP-API\u002FWP-API\" rel=\"nofollow ugc\">WP REST API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>PHP\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Minimum PHP version: 7.4.0\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>PHP HTTP Authorization Header Enable\u003C\u002Fh3>\n\u003Cp>Most shared hosting providers have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPENGINE\u003C\u002Fh4>\n\u003Cp>For WPEngine hosting, you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>See https:\u002F\u002Fgithub.com\u002FTmeister\u002Fwp-api-jwt-auth\u002Fissues\u002F1 for more details.\u003C\u002Fp>\n\u003Ch3>CONFIGURATION\u003C\u002Fh3>\n\u003Ch3>Configure the Secret Key\u003C\u002Fh3>\n\u003Cp>The JWT needs a \u003Cstrong>secret key\u003C\u002Fstrong> to sign the token. This \u003Cstrong>secret key\u003C\u002Fstrong> must be unique and never revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>secret key\u003C\u002Fstrong>, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_SECRET_KEY\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a secure key from: https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Looking for easier configuration?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=config_secret_key_link\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to manage all settings through a simple admin UI.\u003C\u002Fp>\n\u003Ch3>Configure CORS Support\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin has the option to activate \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCross-origin_resource_sharing\" rel=\"nofollow ugc\">CORS\u003C\u002Fa> support.\u003C\u002Fp>\n\u003Cp>To enable CORS Support, edit your wp-config.php file and add a new constant called \u003Cstrong>JWT_AUTH_CORS_ENABLE\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('JWT_AUTH_CORS_ENABLE', true);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Finally, activate the plugin within your wp-admin.\u003C\u002Fp>\n\u003Ch3>Namespace and Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fjwt-auth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace:\u003C\u002Fp>\n\u003Cp>Endpoint | HTTP Verb\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fem> | POST\u003Cbr \u002F>\n\u003Cem>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fem> | POST\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need more functionality?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=endpoints_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> includes additional endpoints for token refresh and revocation.\u003C\u002Fp>\n\u003Ch3>USAGE\u003C\u002Fh3>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u003C\u002Fh4>\n\u003Cp>This is the entry point for JWT Authentication.\u003C\u002Fp>\n\u003Cp>It validates the user credentials, \u003Cem>username\u003C\u002Fem> and \u003Cem>password\u003C\u002Fem>, and returns a token to use in future requests to the API if the authentication is correct, or an error if authentication fails.\u003C\u002Fp>\n\u003Cp>Sample Request Using AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>(function() {\n  var app = angular.module('jwtAuth', []);\n\n  app.controller('MainController', function($scope, $http) {\n    var apiHost = 'http:\u002F\u002Fyourdomain.com\u002Fwp-json';\n\n    $http.post(apiHost + '\u002Fjwt-auth\u002Fv1\u002Ftoken', {\n      username: 'admin',\n      password: 'password'\n    })\n    .then(function(response) {\n      console.log(response.data)\n    })\n    .catch(function(error) {\n      console.error('Error', error.data[0]);\n    });\n  });\n})();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Success Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9qd3QuZGV2IiwiaWF0IjoxNDM4NTcxMDUwLCJuYmYiOjE0Mzg1NzEwNTAsImV4cCI6MTQzOTE3NTg1MCwiZGF0YSI6eyJ1c2VyIjp7ImlkIjoiMSJ9fX0.YNe6AyWW4B7ZwfFE5wJ0O6qQ8QFcYizimDmBy6hCH_8\",\n  \"user_display_name\": \"admin\",\n  \"user_email\": \"admin@localhost.dev\",\n  \"user_nicename\": \"admin\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Error Response From The Server\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_failed\",\n  \"data\": {\n    \"status\": 403\n  },\n  \"message\": \"Invalid Credentials.\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you must store it somewhere in your application, e.g., in a \u003Cstrong>cookie\u003C\u002Fstrong> or using \u003Cstrong>localStorage\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>From this point, you should pass this token with every API call.\u003C\u002Fp>\n\u003Cp>Sample Call Using The Authorization Header With AngularJS\u003C\u002Fp>\n\u003Cpre>\u003Ccode>app.config(function($httpProvider) {\n  $httpProvider.interceptors.push(['$q', '$location', '$cookies', function($q, $location, $cookies) {\n    return {\n      'request': function(config) {\n        config.headers = config.headers || {};\n        \u002F\u002F Assume that you store the token in a cookie\n        var globals = $cookies.getObject('globals') || {};\n        \u002F\u002F If the cookie has the CurrentUser and the token\n        \u002F\u002F add the Authorization header in each request\n        if (globals.currentUser && globals.currentUser.token) {\n          config.headers.Authorization = 'Bearer ' + globals.currentUser.token;\n        }\n        return config;\n      }\n    };\n  }]);\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin will intercept every call to the server and will look for the Authorization Header. If the Authorization header is present, it will try to decode the token and will set the user according to the data stored in it.\u003C\u002Fp>\n\u003Cp>If the token is valid, the API call flow will continue as normal.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Sample Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fresource HTTP\u002F1.1\nHost: server.example.com\nAuthorization: Bearer mF_s9.B5f-4.1JqM\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>ERRORS\u003C\u002Fh3>\n\u003Cp>If the token is invalid, an error will be returned. Here are some sample errors:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Invalid Credentials\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_failed\",\n    \"message\": \"Invalid Credentials.\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Invalid Signature\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Signature verification failed\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Expired Token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[\n  {\n    \"code\": \"jwt_auth_invalid_token\",\n    \"message\": \"Expired token\",\n    \"data\": {\n      \"status\": 403\n    }\n  }\n]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Need advanced error tracking?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=errors_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> offers enhanced error tracking and monitoring capabilities.\u003C\u002Fp>\n\u003Ch4>\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fh4>\n\u003Cp>This is a simple helper endpoint to validate a token. You only need to make a POST request with the Authorization header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Valid Token Response\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"jwt_auth_valid_token\",\n  \"data\": {\n    \"status\": 200\n  }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>AVAILABLE HOOKS\u003C\u002Fh3>\n\u003Cp>The \u003Cstrong>wp-api-jwt-auth\u003C\u002Fstrong> plugin is developer-friendly and provides five filters to override the default settings.\u003C\u002Fp>\n\u003Ch4>jwt_auth_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_cors_allow_headers\u003C\u002Fstrong> filter allows you to modify the available headers when CORS support is enabled.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_not_before\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Creation time - time()\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_expire\u003C\u002Fstrong> filter allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> value before the token is created.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + (DAY_IN_SECONDS * 7)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_token_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_sign\u003C\u002Fstrong> filter allows you to modify all token data before it is encoded and signed.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = array(\n    'iss' => get_bloginfo('url'),\n    'iat' => $issuedAt,\n    'nbf' => $notBefore,\n    'exp' => $expire,\n    'data' => array(\n        'user' => array(\n            'id' => $user->data->ID,\n        )\n    )\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Want easier customization?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=hook_payload_pro_note\" rel=\"nofollow ugc\">JWT Authentication PRO\u003C\u002Fa> allows you to add custom claims directly through the admin UI.\u003C\u002Fp>\n\u003Ch4>jwt_auth_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_token_before_dispatch\u003C\u002Fstrong> filter allows you to modify the response array before it is sent to the client.\u003C\u002Fp>\n\u003Cp>Default Value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = array(\n    'token' => $token,\n    'user_email' => $user->data->user_email,\n    'user_nicename' => $user->data->user_nicename,\n    'user_display_name' => $user->data->display_name,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>jwt_auth_algorithm\u003C\u002Fh4>\n\u003Cp>The \u003Cstrong>jwt_auth_algorithm\u003C\u002Fstrong> filter allows you to modify the signing algorithm.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$token = JWT::encode(\n    apply_filters('jwt_auth_token_before_sign', $token, $user),\n    $secret_key,\n    apply_filters('jwt_auth_algorithm', 'HS256')\n);\n\n\u002F\u002F ...\n\n$token = JWT::decode(\n    $token,\n    new Key($secret_key, apply_filters('jwt_auth_algorithm', 'HS256'))\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>JWT Authentication PRO\u003C\u002Fh3>\n\u003Cp>Elevate your WordPress security and integration capabilities with \u003Cstrong>JWT Authentication PRO\u003C\u002Fstrong>. Building upon the solid foundation of the free version, the PRO version offers advanced features, enhanced security options, and a streamlined user experience:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Configuration UI:\u003C\u002Fstrong> Manage all settings directly from the WordPress admin area.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Endpoint:\u003C\u002Fstrong> Allow users to refresh expired tokens seamlessly without requiring re-login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation Endpoint:\u003C\u002Fstrong> Immediately invalidate specific tokens for enhanced security control.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Token Payload:\u003C\u002Fstrong> Add custom claims to your JWT payload to suit your specific application needs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular CORS Control:\u003C\u002Fstrong> Define allowed origins and headers with more precision directly in the settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Protect your endpoints from abuse with configurable rate limits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Audit Logs:\u003C\u002Fstrong> Keep track of token generation, validation, and errors.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Priority Support:\u003C\u002Fstrong> Get faster, dedicated support directly from the developer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fjwtauth.pro\u002F?utm_source=wp_plugin_readme&utm_medium=link&utm_campaign=pro_promotion&utm_content=pro_section_cta\" rel=\"nofollow ugc\">Upgrade to JWT Authentication PRO Today!\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Free vs. PRO Comparison\u003C\u002Fh3>\n\u003Cp>Here’s a quick look at the key differences:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Basic JWT Authentication:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Generation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Validation:\u003C\u002Fstrong> Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Refresh Mechanism:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Revocation:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Management Dashboard:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Analytics & Monitoring:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geo-IP Identification:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Documentation:\u003C\u002Fstrong> Basic (Free), Comprehensive (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Tools:\u003C\u002Fstrong> Not Included (Free), Included (PRO)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support:\u003C\u002Fstrong> Community via GitHub (Free), Priority Direct Support (PRO)\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.",60000,906385,88,53,"2026-02-18T00:58:00.000Z","4.2","7.4.0",[146,22,147,108,148],"json-web-authentication","oauth","wp-api","https:\u002F\u002Fenriquechavez.co","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authentication-for-wp-rest-api.1.5.0.zip",{"slug":152,"name":153,"version":154,"author":155,"author_profile":156,"description":157,"short_description":158,"active_installs":159,"downloaded":160,"rating":140,"num_ratings":161,"last_updated":162,"tested_up_to":16,"requires_at_least":163,"requires_php":123,"tags":164,"homepage":169,"download_link":170,"security_score":171,"vuln_count":85,"unpatched_count":29,"last_vuln_date":172,"fetched_at":31},"wp-rest-api-authentication","JWT Authentication for WP REST APIs","4.3.0","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cp>\u003Cstrong>WordPress REST API endpoints\u003C\u002Fstrong> are \u003Cstrong>open and unsecured by default\u003C\u002Fstrong> which can be used to access your site data. Secure WordPress APIs from unauthorized users with our \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication\" rel=\"nofollow ugc\">JWT Authentication for WP REST APIs plugin\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Our plugin offers below authentication methods to \u003Cstrong>Protect WP REST API endpoints\u003C\u002Fstrong>:\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n– External Token based Authentication 2.0\u002FOIDC\u002FJWT\u002F\u003Ca href=\"https:\u002F\u002Ffirebase.google.com\u002Fdocs\u002Fauth\u002Fadmin\u002Fcreate-custom-tokens\" rel=\"nofollow ugc\">Firebase\u003C\u002Fa> provider’s token authentication methods.\u003C\u002Fp>\n\u003Cp>You can authenticate default WordPress endpoints and custom-developed REST endpoints and third-party plugin REST API endpoints like that of \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwoocommerce\u002F\" rel=\"ugc\">Woocommerce\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.learndash.com\u002F\" rel=\"nofollow ugc\">Learndash\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbuddypress\u002F\" rel=\"ugc\">Buddypress\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.gravityforms.com\u002F\" rel=\"nofollow ugc\">Gravity Forms\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcart-rest-api-for-woocommerce\u002F\" rel=\"ugc\">CoCart\u003C\u002Fa>, etc.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FIsyKI7eEV-I?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&start=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch3>WP REST API Authentication Methods in our plugin\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-jwt-authentication-method#step_a1\" rel=\"nofollow ugc\">JWT Authentication\u003C\u002Fa>\u003Cbr \u002F>\nProvides an endpoint where you can pass the user credentials, and it will generate a JWT (JSON Web Token), which you can use to access the WordPress REST APIs accordingly.\u003Cbr \u002F>\nAdditionally, to maintain a seamless user experience without frequent logins needed due to token expiry, you can use our \u003Cem>Refresh and Revoke token\u003C\u002Fem> mechanisms feature.\u003Cbr \u002F>\nWhen the access token expires, instead of forcing the user to log in again, the client can request a new access token using a valid refresh token.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Frest-api-key-authentication-method#step_a\" rel=\"nofollow ugc\">API Key Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-basic-authentication-method\" rel=\"nofollow ugc\">Basic Authentication\u003C\u002Fa>:\u003Cbr \u002F>\n        – 1. \u003Cstrong>Username: Password\u003C\u002Fstrong>\u003Cbr \u002F>\n        – 2. \u003Cstrong>Client-ID: Client-Secret\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-oauth-2-0-authentication-method#step_a\" rel=\"nofollow ugc\">OAuth 2.0 Authentication\u003C\u002Fa>\u003Cbr \u002F>\n        – 1. \u003Cstrong>Password Grant\u003C\u002Fstrong>\u003Cbr \u002F>\n            – 2. \u003Cstrong>Client Credentials Grant\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-rest-api-authentication-using-third-party-provider#step_a\" rel=\"nofollow ugc\">Third Party Provider Authentication\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Following are some of the integrations that are possible with WP REST API Authentication:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Learndash API Authentication\u003C\u002Fli>\n\u003Cli>Custom Built REST API Endpoints Authentication\u003C\u002Fli>\n\u003Cli>BuddyPress API Authentication\u003C\u002Fli>\n\u003Cli>WooCommerce API Authentication\u003C\u002Fli>\n\u003Cli>Gravity Form API Authentication\u003C\u002Fli>\n\u003Cli>External\u002FThird-party plugin API endpoints integration in WordPress\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can also disable the WP REST APIs with our plugin such that no one can make API calls to your WordPress REST API endpoints.Our plugin also provides \u003Cstrong>Refresh and Revoke Token\u003C\u002Fstrong> that can be used to improve the API security.\u003C\u002Fp>\n\u003Ch3>Benefits of Refresh Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Enhances security by keeping access tokens short-lived.\u003C\u002Fli>\n\u003Cli>Improves user experience with uninterrupted sessions.\u003C\u002Fli>\n\u003Cli>Reduces login frequency.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Benefits of Revoke Token\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Protects against token misuse if a device is lost or compromised.\u003C\u002Fli>\n\u003Cli>Enables admin-triggered logouts or session control.\u003C\u002Fli>\n\u003Cli>Useful for complying with stricter session policies.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>With this plugin, the user is allowed to access your site’s resources only after successful WP REST API authentication. JWT Authentication for WP REST APIs plugin will make your \u003Cstrong>WordPress endpoints secure from unauthorized access.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Plugin Feature List\u003C\u002Fh3>\n\u003Ch3>FREE PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate only default core WordPress REST API endpoints.\u003C\u002Fli>\n\u003Cli>Basic Authentication with username and password.\u003C\u002Fli>\n\u003Cli>JWT Authentication (JSON Web Token Authentication).\u003C\u002Fli>\n\u003Cli>Enable Selective API protection.\u003C\u002Fli>\n\u003Cli>Restrict non-logged-in users to access REST API endpoints.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>PREMIUM PLAN\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Authenticate all REST API endpoints (Default WP, Custom APIs,Third-Party plugins)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>JWT Token Authentication\u003C\u002Fstrong> (JSON Web Token Authentication)\u003C\u002Fli>\n\u003Cli>Login, Refresh and Revoke token endpoints for token management\u003C\u002Fli>\n\u003Cli>API Key Authentication\u003C\u002Fli>\n\u003Cli>Basic Authentication (username\u002Fpassword and email\u002Fpassword)\u003C\u002Fli>\n\u003Cli>OAuth 2.0 Authentication\u003C\u002Fli>\n\u003Cli>Universal API key and User-specific API key for authentication\u003C\u002Fli>\n\u003Cli>Selective API protection.\u003C\u002Fli>\n\u003Cli>Disable WP REST APIs\u003C\u002Fli>\n\u003Cli>Time-based token expiry\u003C\u002Fli>\n\u003Cli>Role-based WP REST API authentication\u003C\u002Fli>\n\u003Cli>Custom Header support rather than just \u003Cem>Authorization\u003C\u002Fem> to increase security.\u003C\u002Fli>\n\u003Cli>Create users in WordPress based on third-party provider access tokens (JWT tokens) authentication.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin does not store any user data.\u003C\u002Fp>\n","Secure and protect WordPress REST API from unauthorized access using JWT token, Basic Authentication, API Key, OAuth 2, or external token.",20000,494247,73,"2026-02-09T05:11:00.000Z","3.0.1",[165,166,167,108,168],"api-key","jwt-authentication","rest","secure-api","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-rest-api-authentication","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rest-api-authentication.4.3.0.zip",98,"2025-04-16 00:00:00",{"slug":174,"name":175,"version":176,"author":177,"author_profile":178,"description":179,"short_description":180,"active_installs":181,"downloaded":182,"rating":29,"num_ratings":29,"last_updated":183,"tested_up_to":16,"requires_at_least":184,"requires_php":124,"tags":185,"homepage":189,"download_link":190,"security_score":13,"vuln_count":29,"unpatched_count":29,"last_vuln_date":39,"fetched_at":31},"cocart-jwt-authentication","CoCart JWT Authentication","3.0.3","CoCart Headless","https:\u002F\u002Fprofiles.wordpress.org\u002Fcocartforwc\u002F","\u003Cp>This free add-on for \u003Ca href=\"https:\u002F\u002Fcocartapi.com\u002F?utm_medium=wp.org&utm_source=wordpressorg&utm_campaign=readme&utm_content=cocart\" rel=\"nofollow ugc\">CoCart\u003C\u002Fa> allows you to authenticate the Cart API via JSON Web Tokens as an authentication method.\u003C\u002Fp>\n\u003Cp>★★★★★\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>An excellent plugin, which makes building a headless WooCommerce experience a breeze. Easy to use, nearly zero setup time. \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Ftopic\u002Fexcellent-plugin-8062\u002F\" rel=\"ugc\">Harald Schneider\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication\u003C\u002Fstrong>: Implements the industry-standard \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa> for secure claims representation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple Endpoints\u003C\u002Fstrong>: Offers clear endpoints for generating and validating tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Secret Key\u003C\u002Fstrong>: Define your unique secret key via \u003Ccode>wp-config.php\u003C\u002Fcode> for secure token signing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple signing algorithms\u003C\u002Fstrong>: \u003Ccode>HS256\u003C\u002Fcode>, \u003Ccode>HS384\u003C\u002Fcode>, \u003Ccode>HS512\u003C\u002Fcode>, \u003Ccode>RS256\u003C\u002Fcode>, \u003Ccode>RS384\u003C\u002Fcode>, \u003Ccode>RS512\u003C\u002Fcode>, \u003Ccode>ES256\u003C\u002Fcode>, \u003Ccode>ES384\u003C\u002Fcode>, \u003Ccode>ES512\u003C\u002Fcode>, \u003Ccode>PS256\u003C\u002Fcode>, \u003Ccode>PS384\u003C\u002Fcode>, \u003Ccode>PS512\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting\u003C\u002Fstrong>: Controlled specifically for refreshing and validating tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Helpful Debugging\u003C\u002Fstrong>: Detailed logs of authentication issues to help figure out exactly what happened and fix it faster.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WP-CLI Commands\u003C\u002Fstrong>: Useful \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcocart-headless\u002Fcocart-jwt-authentication\u002Fblob\u002Fmaster\u002Fdocs\u002Fwp-cli.md\" rel=\"nofollow ugc\">commands to handle tokens\u003C\u002Fa> – whether you need to check, destroy or create new ones, or clean up old ones.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Hooks\u003C\u002Fstrong>: Provides \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcocart-headless\u002Fcocart-jwt-authentication\u002Fblob\u002Fmaster\u002Fdocs\u002Ffilters.md\" rel=\"nofollow ugc\">filters\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcocart-headless\u002Fcocart-jwt-authentication\u002Fblob\u002Fmaster\u002Fdocs\u002Fhooks.md\" rel=\"nofollow ugc\">hooks\u003C\u002Fa> for more configuration to your requirements.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.\u003C\u002Fp>\n\u003Cp>For more information, \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcocart-headless\u002Fcocart-jwt-authentication\u002Fblob\u002Fmaster\u002Fdocs\u002Fconcepts.md\" rel=\"nofollow ugc\">read the core concept\u003C\u002Fa> on what this plugin does and can do.\u003C\u002Fp>\n\u003Ch3>📄 Documentation\u003C\u002Fh3>\n\u003Cp>See documentation on how to \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcocart-headless\u002Fcocart-jwt-authentication\u002Fblob\u002Fmaster\u002Fdocs\u002Fguide.md\" rel=\"nofollow ugc\">get setup\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcocart-headless\u002Fcocart-jwt-authentication\u002Fblob\u002Fmaster\u002Fdocs\u002Ffilters.md\" rel=\"nofollow ugc\">filters\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcocart-headless\u002Fcocart-jwt-authentication\u002Fblob\u002Fmaster\u002Fdocs\u002Fhooks.md\" rel=\"nofollow ugc\">hooks\u003C\u002Fa> with examples to help configure JWT Authentication to your needs.\u003C\u002Fp>\n\u003Cp>Once ready to use, see the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcocart-headless\u002Fcocart-jwt-authentication\u002Fblob\u002Fmaster\u002Fdocs\u002Fquick-start.md\" rel=\"nofollow ugc\">quick start guide\u003C\u002Fa>. There is also an \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcocart-headless\u002Fcocart-jwt-authentication\u002Fblob\u002Fmaster\u002Fdocs\u002Fadvanced-configuration.md\" rel=\"nofollow ugc\">advanced configuration\u003C\u002Fa> for using RSA Keys.\u003C\u002Fp>\n\u003Cp>★★★★★\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Amazing Plugin. I’m using it to create a react-native app with WooCommerce as back-end. This plugin is a life-saver! \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Ftopic\u002Famazing-plugin-1562\u002F\" rel=\"ugc\">Daniel Loureiro\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch4>👍 Add-ons to further enhance CoCart\u003C\u002Fh4>\n\u003Cp>We also have other add-ons that extend CoCart to enhance your headless store development.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcocart-cors\u002F\" rel=\"ugc\">CoCart – CORS\u003C\u002Fa>\u003C\u002Fstrong> enables support for CORS to allow CoCart to work across multiple domains.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcocart-rate-limiting\u002F\" rel=\"ugc\">CoCart – Rate Limiting\u003C\u002Fa>\u003C\u002Fstrong> enables the rate limiting feature.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>These add-ons of course come with support too.\u003C\u002Fp>\n\u003Ch3>💜 Need Support?\u003C\u002Fh3>\n\u003Cp>We aim to provide regular support for the CoCart plugin via \u003Ca href=\"https:\u002F\u002Fcocartapi.com\u002Fcommunity\u002F?utm_medium=website&utm_source=wpplugindirectory&utm_campaign=readme&utm_content=readmelink\" rel=\"nofollow ugc\">our Discord community server\u003C\u002Fa>. Please understand that we do prioritize support for our \u003Ca href=\"https:\u002F\u002Fcocartapi.com\u002Fpricing\u002F?utm_medium=website&utm_source=wpplugindirectory&utm_campaign=readme&utm_content=readmelink\" rel=\"nofollow ugc\">paying customers\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>⌨️ Join our growing community\u003C\u002Fh3>\n\u003Cp>On Discord, we have a community of developers, WordPress agencies, and shop owners building the fastest and best headless WooCommerce stores with CoCart.\u003C\u002Fp>\n\u003Cp>Come and \u003Ca href=\"https:\u002F\u002Fcocartapi.com\u002Fcommunity\u002F?utm_medium=wp.org&utm_source=wordpressorg&utm_campaign=readme&utm_content=cocart\" rel=\"nofollow ugc\">join our community\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>🐞 Bug reports\u003C\u002Fh3>\n\u003Cp>Bug reports for CoCart JWT Authentication are welcomed in the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcocart-headless\u002Fcocart-jwt-authentication\" rel=\"nofollow ugc\">CoCart JWT Authentication repository on GitHub\u003C\u002Fa>. Please note that GitHub is not a support forum, and that issues that aren’t properly qualified as bugs will be closed.\u003C\u002Fp>\n\u003Ch3>More information\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fcocartapi.com\u002F?utm_medium=website&utm_source=wpplugindirectory&utm_campaign=readme&utm_content=readmelink\" rel=\"nofollow ugc\">Website\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fcocartapi.com\u002Fdocs\u002F?utm_medium=website&utm_source=wpplugindirectory&utm_campaign=readme&utm_content=readmelink\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Feepurl.com\u002FdKIYXE\" rel=\"nofollow ugc\">Subscribe to updates\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Like, Follow and Star on \u003Ca href=\"https:\u002F\u002Fwww.facebook.com\u002Fcocartforwc\u002F\" rel=\"nofollow ugc\">Facebook\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Ftwitter.com\u002Fcocartapi\" rel=\"nofollow ugc\">X\u002FTwitter\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.instagram.com\u002Fcocartheadless\u002F\" rel=\"nofollow ugc\">Instagram\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fco-cart\u002Fco-cart\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>💯 Credits\u003C\u002Fh4>\n\u003Cp>This plugin is developed and maintained by \u003Ca href=\"https:\u002F\u002Ftwitter.com\u002Fsebd86\" rel=\"nofollow ugc\">Sébastien Dumont\u003C\u002Fa>.\u003Cbr \u002F>\nFounder of \u003Ca href=\"https:\u002F\u002Ftwitter.com\u002Fcocartheadless\" rel=\"nofollow ugc\">CoCart Headless, LLC\u003C\u002Fa>.\u003C\u002Fp>\n","JWT Authentication for CoCart API.",200,9231,"2026-04-07T16:34:00.000Z","6.0",[186,187,22,108,188],"decoupled","headless","woocommerce","https:\u002F\u002Fcocartapi.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcocart-jwt-authentication.3.0.3.zip",{"attackSurface":192,"codeSignals":247,"taintFlows":903,"riskAssessment":938,"analyzedAt":955},{"hooks":193,"ajaxHandlers":235,"restRoutes":236,"shortcodes":237,"cronEvents":246,"entryPointCount":85,"unprotectedCount":29},[194,200,205,209,211,214,219,223,227,231],{"type":195,"name":196,"callback":197,"priority":13,"file":198,"line":199},"filter","rest_authentication_errors","closure","3rd-party\\force_login.php",7,{"type":201,"name":202,"callback":197,"file":203,"line":204},"action","init_graphql_request","3rd-party\\wp-graphql.php",11,{"type":201,"name":206,"callback":197,"file":207,"line":208},"rest_api_init","routes\\api.php",21,{"type":195,"name":196,"callback":197,"priority":29,"file":207,"line":210},65,{"type":201,"name":212,"callback":197,"priority":29,"file":207,"line":213},"rest_endpoints",107,{"type":201,"name":215,"callback":216,"file":217,"line":218},"admin_menu","simple_jwt_login_plugin_create_menu_entry","simple-jwt-login.php",24,{"type":201,"name":220,"callback":221,"file":217,"line":222},"plugins_loaded","simple_jwt_login_plugin_load_translations",25,{"type":201,"name":224,"callback":225,"file":217,"line":226},"login_head","simple_jwt_login_assets",158,{"type":201,"name":228,"callback":229,"file":217,"line":230},"login_message","simple_jwt_login_login_message",169,{"type":201,"name":232,"callback":233,"file":217,"line":234},"login_footer","simple_jwt_login_login_footer",196,[],[],[238,242],{"tag":239,"callback":240,"file":217,"line":241},"simple-jwt-login:request","simple_jwt_login_request_shortcode",57,{"tag":243,"callback":244,"file":217,"line":245},"simple-jwt-login-oauth","simple_jwt_login_oauth_shortcode",216,[],{"dangerousFunctions":248,"sqlUsage":249,"outputEscaping":251,"fileOperations":85,"externalRequests":111,"nonceChecks":111,"capabilityChecks":29,"bundledLibraries":902},[],{"prepared":29,"raw":29,"locations":250},[],{"escaped":252,"rawEcho":253,"locations":254},267,380,[255,259,262,264,266,268,270,272,274,276,278,280,282,283,285,287,289,291,293,295,297,299,301,303,305,308,310,312,314,316,318,320,322,324,325,326,328,330,332,334,336,338,340,342,345,346,348,349,351,353,355,357,358,360,362,364,366,367,368,370,372,374,376,378,379,381,383,385,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452,454,456,458,460,463,465,466,468,469,471,472,474,476,478,480,481,483,484,486,487,488,490,492,494,496,498,500,502,504,506,508,509,511,513,515,516,518,519,520,521,522,523,525,527,529,530,532,534,536,538,539,541,543,545,547,548,549,551,553,555,557,558,560,563,565,566,568,569,570,572,573,575,577,578,580,581,583,584,586,587,589,590,592,594,596,598,600,601,603,605,607,608,610,612,614,615,617,619,621,623,625,627,629,631,633,634,636,637,638,640,642,643,644,645,647,649,651,653,655,657,658,660,662,663,664,665,666,668,669,671,673,674,676,677,679,681,682,684,686,688,689,691,693,694,696,697,699,701,703,705,706,708,709,711,713,714,716,717,719,721,723,725,727,729,731,732,734,736,737,739,741,742,743,745,747,749,751,753,754,756,758,760,762,764,765,767,768,769,771,772,774,776,778,780,781,783,785,786,787,789,790,791,792,794,795,796,797,798,800,802,804,805,807,808,809,811,812,813,814,816,817,819,820,821,822,823,825,826,828,830,832,834,836,838,840,842,843,845,847,848,850,851,853,854,856,858,860,861,862,863,864,865,867,869,871,873,875,876,877,878,879,880,881,882,883,884,885,886,887,888,890,891,893,895,897,898,899,900],{"file":256,"line":257,"context":258},"views\\applications\\google-form.php",30,"raw output",{"file":260,"line":261,"context":258},"views\\applications\\google.php",42,{"file":260,"line":263,"context":258},59,{"file":260,"line":265,"context":258},67,{"file":260,"line":267,"context":258},80,{"file":260,"line":269,"context":258},120,{"file":260,"line":271,"context":258},140,{"file":260,"line":273,"context":258},160,{"file":260,"line":275,"context":258},179,{"file":260,"line":277,"context":258},195,{"file":260,"line":279,"context":258},208,{"file":260,"line":281,"context":258},215,{"file":260,"line":245,"context":258},{"file":260,"line":284,"context":258},232,{"file":260,"line":286,"context":258},269,{"file":260,"line":288,"context":258},275,{"file":260,"line":290,"context":258},291,{"file":260,"line":292,"context":258},302,{"file":260,"line":294,"context":258},315,{"file":260,"line":296,"context":258},319,{"file":260,"line":298,"context":258},324,{"file":260,"line":300,"context":258},329,{"file":260,"line":302,"context":258},346,{"file":260,"line":304,"context":258},350,{"file":306,"line":307,"context":258},"views\\auth-codes-view.php",18,{"file":306,"line":309,"context":258},20,{"file":306,"line":311,"context":258},22,{"file":306,"line":313,"context":258},27,{"file":306,"line":315,"context":258},29,{"file":306,"line":317,"context":258},38,{"file":306,"line":319,"context":258},39,{"file":306,"line":321,"context":258},45,{"file":306,"line":323,"context":258},63,{"file":306,"line":210,"context":258},{"file":306,"line":161,"context":258},{"file":306,"line":327,"context":258},76,{"file":306,"line":329,"context":258},79,{"file":306,"line":331,"context":258},105,{"file":306,"line":333,"context":258},122,{"file":306,"line":335,"context":258},139,{"file":306,"line":337,"context":258},150,{"file":306,"line":339,"context":258},162,{"file":306,"line":341,"context":258},166,{"file":343,"line":344,"context":258},"views\\auth-view.php",19,{"file":343,"line":208,"context":258},{"file":343,"line":347,"context":258},33,{"file":343,"line":321,"context":258},{"file":343,"line":350,"context":258},54,{"file":343,"line":352,"context":258},56,{"file":343,"line":354,"context":258},64,{"file":343,"line":356,"context":258},71,{"file":343,"line":267,"context":258},{"file":343,"line":359,"context":258},82,{"file":343,"line":361,"context":258},86,{"file":343,"line":363,"context":258},95,{"file":343,"line":365,"context":258},96,{"file":343,"line":86,"context":258},{"file":343,"line":171,"context":258},{"file":343,"line":369,"context":258},99,{"file":343,"line":371,"context":258},115,{"file":343,"line":373,"context":258},121,{"file":343,"line":375,"context":258},138,{"file":343,"line":377,"context":258},144,{"file":343,"line":273,"context":258},{"file":343,"line":380,"context":258},170,{"file":343,"line":382,"context":258},172,{"file":343,"line":384,"context":258},189,{"file":343,"line":181,"context":258},{"file":343,"line":387,"context":258},202,{"file":343,"line":389,"context":258},246,{"file":343,"line":391,"context":258},249,{"file":343,"line":393,"context":258},335,{"file":343,"line":395,"context":258},338,{"file":343,"line":397,"context":258},369,{"file":343,"line":399,"context":258},372,{"file":343,"line":401,"context":258},375,{"file":343,"line":403,"context":258},385,{"file":343,"line":405,"context":258},403,{"file":343,"line":407,"context":258},406,{"file":343,"line":409,"context":258},409,{"file":343,"line":411,"context":258},422,{"file":343,"line":413,"context":258},431,{"file":343,"line":415,"context":258},434,{"file":343,"line":417,"context":258},437,{"file":343,"line":419,"context":258},448,{"file":343,"line":421,"context":258},456,{"file":343,"line":423,"context":258},458,{"file":343,"line":425,"context":258},462,{"file":343,"line":427,"context":258},486,{"file":343,"line":429,"context":258},492,{"file":343,"line":431,"context":258},506,{"file":343,"line":433,"context":258},508,{"file":343,"line":435,"context":258},512,{"file":343,"line":437,"context":258},537,{"file":343,"line":439,"context":258},543,{"file":343,"line":441,"context":258},556,{"file":343,"line":443,"context":258},558,{"file":343,"line":445,"context":258},562,{"file":343,"line":447,"context":258},580,{"file":343,"line":449,"context":258},586,{"file":343,"line":451,"context":258},601,{"file":343,"line":453,"context":258},608,{"file":343,"line":455,"context":258},613,{"file":343,"line":457,"context":258},615,{"file":343,"line":459,"context":258},617,{"file":461,"line":462,"context":258},"views\\cors-view.php",15,{"file":461,"line":464,"context":258},17,{"file":461,"line":222,"context":258},{"file":461,"line":467,"context":258},36,{"file":461,"line":321,"context":258},{"file":461,"line":470,"context":258},47,{"file":461,"line":354,"context":258},{"file":461,"line":473,"context":258},83,{"file":461,"line":475,"context":258},101,{"file":477,"line":307,"context":258},"views\\dashboard-view.php",{"file":477,"line":479,"context":258},28,{"file":477,"line":347,"context":258},{"file":477,"line":482,"context":258},58,{"file":477,"line":323,"context":258},{"file":477,"line":485,"context":258},89,{"file":477,"line":27,"context":258},{"file":477,"line":269,"context":258},{"file":477,"line":489,"context":258},125,{"file":477,"line":491,"context":258},152,{"file":477,"line":493,"context":258},157,{"file":477,"line":495,"context":258},185,{"file":477,"line":497,"context":258},190,{"file":477,"line":499,"context":258},219,{"file":477,"line":501,"context":258},224,{"file":477,"line":503,"context":258},238,{"file":477,"line":505,"context":258},248,{"file":477,"line":507,"context":258},253,{"file":477,"line":252,"context":258},{"file":477,"line":510,"context":258},279,{"file":477,"line":512,"context":258},284,{"file":514,"line":208,"context":258},"views\\delete-view.php",{"file":514,"line":218,"context":258},{"file":514,"line":517,"context":258},32,{"file":514,"line":321,"context":258},{"file":514,"line":350,"context":258},{"file":514,"line":356,"context":258},{"file":514,"line":88,"context":258},{"file":514,"line":485,"context":258},{"file":514,"line":524,"context":258},91,{"file":514,"line":526,"context":258},102,{"file":514,"line":528,"context":258},112,{"file":514,"line":333,"context":258},{"file":514,"line":531,"context":258},145,{"file":514,"line":533,"context":258},148,{"file":514,"line":535,"context":258},154,{"file":514,"line":537,"context":258},163,{"file":514,"line":380,"context":258},{"file":514,"line":540,"context":258},178,{"file":514,"line":542,"context":258},184,{"file":514,"line":544,"context":258},194,{"file":514,"line":546,"context":258},198,{"file":514,"line":181,"context":258},{"file":514,"line":387,"context":258},{"file":514,"line":550,"context":258},204,{"file":514,"line":552,"context":258},212,{"file":514,"line":554,"context":258},217,{"file":514,"line":556,"context":258},222,{"file":514,"line":501,"context":258},{"file":514,"line":559,"context":258},226,{"file":561,"line":562,"context":258},"views\\general-view.php",31,{"file":561,"line":564,"context":258},34,{"file":561,"line":261,"context":258},{"file":561,"line":567,"context":258},52,{"file":561,"line":323,"context":258},{"file":561,"line":265,"context":258},{"file":561,"line":571,"context":258},81,{"file":561,"line":363,"context":258},{"file":561,"line":574,"context":258},108,{"file":561,"line":576,"context":258},111,{"file":561,"line":269,"context":258},{"file":561,"line":579,"context":258},155,{"file":561,"line":226,"context":258},{"file":561,"line":582,"context":258},165,{"file":561,"line":382,"context":258},{"file":561,"line":585,"context":258},181,{"file":561,"line":181,"context":258},{"file":561,"line":588,"context":258},225,{"file":561,"line":559,"context":258},{"file":561,"line":591,"context":258},257,{"file":561,"line":593,"context":258},260,{"file":561,"line":595,"context":258},276,{"file":561,"line":597,"context":258},287,{"file":561,"line":599,"context":258},294,{"file":561,"line":99,"context":258},{"file":561,"line":602,"context":258},325,{"file":561,"line":604,"context":258},334,{"file":561,"line":606,"context":258},366,{"file":561,"line":401,"context":258},{"file":561,"line":609,"context":258},393,{"file":561,"line":611,"context":258},407,{"file":561,"line":613,"context":258},416,{"file":561,"line":411,"context":258},{"file":561,"line":616,"context":258},429,{"file":561,"line":618,"context":258},450,{"file":561,"line":620,"context":258},454,{"file":561,"line":622,"context":258},475,{"file":561,"line":624,"context":258},482,{"file":561,"line":626,"context":258},496,{"file":561,"line":628,"context":258},509,{"file":561,"line":630,"context":258},513,{"file":632,"line":309,"context":258},"views\\hooks-view.php",{"file":632,"line":311,"context":258},{"file":632,"line":635,"context":258},26,{"file":632,"line":319,"context":258},{"file":632,"line":261,"context":258},{"file":632,"line":639,"context":258},43,{"file":632,"line":641,"context":258},44,{"file":632,"line":321,"context":258},{"file":632,"line":14,"context":258},{"file":632,"line":361,"context":258},{"file":646,"line":337,"context":258},"views\\layout.php",{"file":646,"line":648,"context":258},153,{"file":646,"line":650,"context":258},245,{"file":646,"line":652,"context":258},268,{"file":646,"line":654,"context":258},274,{"file":646,"line":656,"context":258},283,{"file":646,"line":290,"context":258},{"file":659,"line":309,"context":258},"views\\login-view.php",{"file":659,"line":661,"context":258},23,{"file":659,"line":257,"context":258},{"file":659,"line":467,"context":258},{"file":659,"line":14,"context":258},{"file":659,"line":323,"context":258},{"file":659,"line":667,"context":258},70,{"file":659,"line":473,"context":258},{"file":659,"line":670,"context":258},85,{"file":659,"line":672,"context":258},93,{"file":659,"line":13,"context":258},{"file":659,"line":675,"context":258},119,{"file":659,"line":333,"context":258},{"file":659,"line":678,"context":258},129,{"file":659,"line":680,"context":258},137,{"file":659,"line":377,"context":258},{"file":659,"line":683,"context":258},151,{"file":659,"line":685,"context":258},156,{"file":659,"line":687,"context":258},168,{"file":659,"line":382,"context":258},{"file":659,"line":690,"context":258},174,{"file":659,"line":692,"context":258},176,{"file":659,"line":544,"context":258},{"file":659,"line":695,"context":258},197,{"file":659,"line":279,"context":258},{"file":659,"line":698,"context":258},218,{"file":659,"line":700,"context":258},229,{"file":659,"line":702,"context":258},239,{"file":659,"line":704,"context":258},242,{"file":659,"line":591,"context":258},{"file":659,"line":707,"context":258},263,{"file":659,"line":652,"context":258},{"file":659,"line":710,"context":258},270,{"file":659,"line":712,"context":258},280,{"file":659,"line":656,"context":258},{"file":659,"line":715,"context":258},295,{"file":659,"line":292,"context":258},{"file":659,"line":718,"context":258},309,{"file":659,"line":720,"context":258},318,{"file":659,"line":722,"context":258},321,{"file":659,"line":724,"context":258},323,{"file":659,"line":726,"context":258},340,{"file":659,"line":728,"context":258},351,{"file":659,"line":730,"context":258},363,{"file":659,"line":606,"context":258},{"file":659,"line":733,"context":258},367,{"file":659,"line":735,"context":258},368,{"file":659,"line":397,"context":258},{"file":659,"line":738,"context":258},370,{"file":659,"line":740,"context":258},371,{"file":659,"line":399,"context":258},{"file":659,"line":401,"context":258},{"file":659,"line":744,"context":258},386,{"file":659,"line":746,"context":258},391,{"file":659,"line":748,"context":258},396,{"file":659,"line":750,"context":258},398,{"file":659,"line":752,"context":258},400,{"file":659,"line":409,"context":258},{"file":659,"line":755,"context":258},412,{"file":659,"line":757,"context":258},417,{"file":659,"line":759,"context":258},419,{"file":659,"line":761,"context":258},421,{"file":763,"line":639,"context":258},"views\\protect-endpoints-view.php",{"file":763,"line":321,"context":258},{"file":763,"line":766,"context":258},74,{"file":763,"line":329,"context":258},{"file":763,"line":365,"context":258},{"file":763,"line":770,"context":258},109,{"file":763,"line":489,"context":258},{"file":763,"line":773,"context":258},131,{"file":763,"line":775,"context":258},161,{"file":763,"line":777,"context":258},171,{"file":763,"line":779,"context":258},182,{"file":763,"line":495,"context":258},{"file":763,"line":782,"context":258},192,{"file":763,"line":784,"context":258},209,{"file":763,"line":552,"context":258},{"file":763,"line":499,"context":258},{"file":788,"line":309,"context":258},"views\\register-view.php",{"file":788,"line":311,"context":258},{"file":788,"line":347,"context":258},{"file":788,"line":321,"context":258},{"file":788,"line":793,"context":258},55,{"file":788,"line":161,"context":258},{"file":788,"line":473,"context":258},{"file":788,"line":670,"context":258},{"file":788,"line":365,"context":258},{"file":788,"line":799,"context":258},106,{"file":788,"line":801,"context":258},114,{"file":788,"line":803,"context":258},141,{"file":788,"line":377,"context":258},{"file":788,"line":806,"context":258},147,{"file":788,"line":683,"context":258},{"file":788,"line":685,"context":258},{"file":788,"line":810,"context":258},187,{"file":788,"line":497,"context":258},{"file":788,"line":695,"context":258},{"file":788,"line":387,"context":258},{"file":788,"line":815,"context":258},214,{"file":788,"line":499,"context":258},{"file":788,"line":818,"context":258},243,{"file":788,"line":505,"context":258},{"file":788,"line":707,"context":258},{"file":788,"line":652,"context":258},{"file":788,"line":656,"context":258},{"file":788,"line":824,"context":258},289,{"file":788,"line":599,"context":258},{"file":788,"line":827,"context":258},296,{"file":788,"line":829,"context":258},298,{"file":788,"line":831,"context":258},308,{"file":788,"line":833,"context":258},317,{"file":788,"line":835,"context":258},320,{"file":788,"line":837,"context":258},326,{"file":788,"line":839,"context":258},328,{"file":788,"line":841,"context":258},336,{"file":788,"line":395,"context":258},{"file":788,"line":844,"context":258},348,{"file":788,"line":846,"context":258},356,{"file":788,"line":730,"context":258},{"file":788,"line":849,"context":258},365,{"file":788,"line":738,"context":258},{"file":852,"line":208,"context":258},"views\\reset-password-view.php",{"file":852,"line":218,"context":258},{"file":852,"line":855,"context":258},37,{"file":852,"line":857,"context":258},51,{"file":852,"line":859,"context":258},62,{"file":852,"line":210,"context":258},{"file":852,"line":327,"context":258},{"file":852,"line":361,"context":258},{"file":852,"line":86,"context":258},{"file":852,"line":369,"context":258},{"file":852,"line":866,"context":258},103,{"file":852,"line":868,"context":258},110,{"file":852,"line":870,"context":258},113,{"file":852,"line":872,"context":258},117,{"file":852,"line":874,"context":258},143,{"file":852,"line":648,"context":258},{"file":852,"line":685,"context":258},{"file":852,"line":692,"context":258},{"file":852,"line":181,"context":258},{"file":852,"line":501,"context":258},{"file":852,"line":503,"context":258},{"file":852,"line":818,"context":258},{"file":852,"line":286,"context":258},{"file":852,"line":824,"context":258},{"file":852,"line":827,"context":258},{"file":852,"line":720,"context":258},{"file":852,"line":835,"context":258},{"file":852,"line":298,"context":258},{"file":852,"line":889,"context":258},332,{"file":852,"line":393,"context":258},{"file":852,"line":892,"context":258},339,{"file":852,"line":894,"context":258},343,{"file":852,"line":896,"context":258},347,{"file":852,"line":401,"context":258},{"file":852,"line":403,"context":258},{"file":852,"line":609,"context":258},{"file":852,"line":901,"context":258},397,[],[904,921,929],{"entryPoint":905,"graph":906,"unsanitizedCount":29,"severity":920},"simple_jwt_login_login_message (simple-jwt-login.php:175)",{"nodes":907,"edges":917},[908,912],{"id":909,"type":910,"label":911,"file":217,"line":497},"n0","source","$_REQUEST['error']",{"id":913,"type":914,"label":915,"file":217,"line":497,"wp_function":916},"n1","sink","echo() [XSS]","echo",[918],{"from":909,"to":913,"sanitized":919},true,"low",{"entryPoint":922,"graph":923,"unsanitizedCount":29,"severity":920},"\u003Csimple-jwt-login> (simple-jwt-login.php:0)",{"nodes":924,"edges":927},[925,926],{"id":909,"type":910,"label":911,"file":217,"line":497},{"id":913,"type":914,"label":915,"file":217,"line":497,"wp_function":916},[928],{"from":909,"to":913,"sanitized":919},{"entryPoint":930,"graph":931,"unsanitizedCount":29,"severity":920},"\u003Clayout> (views\\layout.php:0)",{"nodes":932,"edges":936},[933,935],{"id":909,"type":910,"label":934,"file":646,"line":801},"$_POST",{"id":913,"type":914,"label":915,"file":646,"line":675,"wp_function":916},[937],{"from":909,"to":913,"sanitized":919},{"summary":939,"deductions":940},"The plugin 'simple-jwt-login' v3.6.5 exhibits a mixed security posture. While it demonstrates good practices in areas like the absence of directly exploitable entry points (no unprotected AJAX or REST API routes) and the exclusive use of prepared statements for SQL queries, significant concerns remain.  The static analysis reveals a moderate level of output escaping issues, with only 41% of outputs being properly escaped, indicating a potential for cross-site scripting vulnerabilities. The presence of file operations and external HTTP requests, though not inherently insecure, adds to the potential attack surface that requires careful scrutiny.\n\nThe vulnerability history is a substantial red flag. With three known CVEs, including one that is currently unpatched, and a history of high and medium severity vulnerabilities such as Cross-Site Scripting, CSRF, and Inadequate Encryption Strength, there's a clear pattern of past security weaknesses. The recent unpatched vulnerability from September 2025 is particularly concerning, as it suggests ongoing risks that have not been addressed. The absence of any critical severity taint flows is positive, but it does not negate the risks posed by the historical vulnerabilities and the identified output escaping issues.\n\nIn conclusion, while 'simple-jwt-login' has some positive security attributes, the unpatched vulnerability and the history of significant security flaws strongly suggest a plugin that has struggled with consistent security maintenance. Users should exercise extreme caution and prioritize updating to a version that addresses the outstanding CVE. The output escaping issues also warrant attention from the developers to mitigate potential XSS risks.",[941,943,946,949,951,953],{"reason":942,"points":309},"Currently unpatched CVE",{"reason":944,"points":945},"High severity vulnerabilities in history",10,{"reason":947,"points":948},"Medium severity vulnerabilities in history",5,{"reason":950,"points":101},"Moderate output escaping issues",{"reason":952,"points":28},"External HTTP requests",{"reason":954,"points":28},"File operations","2026-03-16T18:10:19.756Z",{"wat":957,"direct":972},{"assetPaths":958,"generatorPatterns":965,"scriptPaths":966,"versionParams":967},[959,960,961,962,963,964],"\u002Fwp-content\u002Fplugins\u002Fsimple-jwt-login\u002Fvendor\u002Fbootstrap\u002Fbootstrap.min.css","\u002Fwp-content\u002Fplugins\u002Fsimple-jwt-login\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fsimple-jwt-login\u002Fvendor\u002Fbootstrap\u002Fbootstrap.min.js","\u002Fwp-content\u002Fplugins\u002Fsimple-jwt-login\u002Fjs\u002Fscripts.js","\u002Fwp-content\u002Fplugins\u002Fsimple-jwt-login\u002Fimages\u002Fsimple-jwt-login-16x16.png","\u002Fwp-content\u002Fplugins\u002Fsimple-jwt-login\u002Fcss\u002Flogin.css",[],[961,962],[968,969,970,971],"simple-jwt-login\u002Fvendor\u002Fbootstrap\u002Fbootstrap.min.css?ver=","simple-jwt-login\u002Fcss\u002Fstyle.css?ver=","simple-jwt-login\u002Fvendor\u002Fbootstrap\u002Fbootstrap.min.js?ver=","simple-jwt-login\u002Fjs\u002Fscripts.js?ver=",{"cssClasses":973,"htmlComments":976,"htmlAttributes":978,"restEndpoints":980,"jsGlobals":981,"shortcodeOutput":982},[974,975],"simple-jwt-login-oauth-code","simple-jwt-login-auth-btn",[977],"\u003C!-- GOOGLE -->",[979],"data-provider",[],[],[983,984],"[simple-jwt-login:request]","[simple-jwt-login-oauth]",{"error":919,"url":986,"statusCode":987,"statusMessage":988,"message":988},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fsimple-jwt-login\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":344,"versions":990},[991,996,1004,1012,1020,1028,1036,1044,1052,1060,1068,1076,1084,1092,1100,1108,1116,1124,1132],{"version":6,"download_url":26,"svn_tag_url":992,"released_at":39,"has_diff":50,"diff_files_changed":993,"diff_lines":39,"trac_diff_url":994,"vulnerabilities":995,"is_current":919},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.6.5\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.6.4&new_path=%2Fsimple-jwt-login%2Ftags%2F3.6.5",[],{"version":997,"download_url":998,"svn_tag_url":999,"released_at":39,"has_diff":50,"diff_files_changed":1000,"diff_lines":39,"trac_diff_url":1001,"vulnerabilities":1002,"is_current":50},"3.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.6.4.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.6.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.6.3&new_path=%2Fsimple-jwt-login%2Ftags%2F3.6.4",[1003],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1005,"download_url":1006,"svn_tag_url":1007,"released_at":39,"has_diff":50,"diff_files_changed":1008,"diff_lines":39,"trac_diff_url":1009,"vulnerabilities":1010,"is_current":50},"3.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.6.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.6.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.6.2&new_path=%2Fsimple-jwt-login%2Ftags%2F3.6.3",[1011],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1013,"download_url":1014,"svn_tag_url":1015,"released_at":39,"has_diff":50,"diff_files_changed":1016,"diff_lines":39,"trac_diff_url":1017,"vulnerabilities":1018,"is_current":50},"3.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.6.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.6.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.6.1&new_path=%2Fsimple-jwt-login%2Ftags%2F3.6.2",[1019],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1021,"download_url":1022,"svn_tag_url":1023,"released_at":39,"has_diff":50,"diff_files_changed":1024,"diff_lines":39,"trac_diff_url":1025,"vulnerabilities":1026,"is_current":50},"3.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.6.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.6.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.6.0&new_path=%2Fsimple-jwt-login%2Ftags%2F3.6.1",[1027],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1029,"download_url":1030,"svn_tag_url":1031,"released_at":39,"has_diff":50,"diff_files_changed":1032,"diff_lines":39,"trac_diff_url":1033,"vulnerabilities":1034,"is_current":50},"3.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.6.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.6.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.5.8&new_path=%2Fsimple-jwt-login%2Ftags%2F3.6.0",[1035],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1037,"download_url":1038,"svn_tag_url":1039,"released_at":39,"has_diff":50,"diff_files_changed":1040,"diff_lines":39,"trac_diff_url":1041,"vulnerabilities":1042,"is_current":50},"3.5.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.5.8.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.5.8\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.5.7&new_path=%2Fsimple-jwt-login%2Ftags%2F3.5.8",[1043],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1045,"download_url":1046,"svn_tag_url":1047,"released_at":39,"has_diff":50,"diff_files_changed":1048,"diff_lines":39,"trac_diff_url":1049,"vulnerabilities":1050,"is_current":50},"3.5.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.5.7.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.5.7\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.5.6&new_path=%2Fsimple-jwt-login%2Ftags%2F3.5.7",[1051],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1053,"download_url":1054,"svn_tag_url":1055,"released_at":39,"has_diff":50,"diff_files_changed":1056,"diff_lines":39,"trac_diff_url":1057,"vulnerabilities":1058,"is_current":50},"3.5.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.5.6.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.5.6\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.5.5&new_path=%2Fsimple-jwt-login%2Ftags%2F3.5.6",[1059],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1061,"download_url":1062,"svn_tag_url":1063,"released_at":39,"has_diff":50,"diff_files_changed":1064,"diff_lines":39,"trac_diff_url":1065,"vulnerabilities":1066,"is_current":50},"3.5.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.5.5.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.5.5\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.5.4&new_path=%2Fsimple-jwt-login%2Ftags%2F3.5.5",[1067],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1069,"download_url":1070,"svn_tag_url":1071,"released_at":39,"has_diff":50,"diff_files_changed":1072,"diff_lines":39,"trac_diff_url":1073,"vulnerabilities":1074,"is_current":50},"3.5.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.5.4.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.5.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.5.3&new_path=%2Fsimple-jwt-login%2Ftags%2F3.5.4",[1075],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1077,"download_url":1078,"svn_tag_url":1079,"released_at":39,"has_diff":50,"diff_files_changed":1080,"diff_lines":39,"trac_diff_url":1081,"vulnerabilities":1082,"is_current":50},"3.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.5.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.5.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.5.2&new_path=%2Fsimple-jwt-login%2Ftags%2F3.5.3",[1083],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1085,"download_url":1086,"svn_tag_url":1087,"released_at":39,"has_diff":50,"diff_files_changed":1088,"diff_lines":39,"trac_diff_url":1089,"vulnerabilities":1090,"is_current":50},"3.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.5.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.5.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.5.1&new_path=%2Fsimple-jwt-login%2Ftags%2F3.5.2",[1091],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1093,"download_url":1094,"svn_tag_url":1095,"released_at":39,"has_diff":50,"diff_files_changed":1096,"diff_lines":39,"trac_diff_url":1097,"vulnerabilities":1098,"is_current":50},"3.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.5.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.5.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.5.0&new_path=%2Fsimple-jwt-login%2Ftags%2F3.5.1",[1099],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1101,"download_url":1102,"svn_tag_url":1103,"released_at":39,"has_diff":50,"diff_files_changed":1104,"diff_lines":39,"trac_diff_url":1105,"vulnerabilities":1106,"is_current":50},"3.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.5.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.5.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.4.9&new_path=%2Fsimple-jwt-login%2Ftags%2F3.5.0",[1107],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1109,"download_url":1110,"svn_tag_url":1111,"released_at":39,"has_diff":50,"diff_files_changed":1112,"diff_lines":39,"trac_diff_url":1113,"vulnerabilities":1114,"is_current":50},"3.4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.4.9.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.4.9\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.4.8&new_path=%2Fsimple-jwt-login%2Ftags%2F3.4.9",[1115],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1117,"download_url":1118,"svn_tag_url":1119,"released_at":39,"has_diff":50,"diff_files_changed":1120,"diff_lines":39,"trac_diff_url":1121,"vulnerabilities":1122,"is_current":50},"3.4.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.4.8.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.4.8\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.4.7&new_path=%2Fsimple-jwt-login%2Ftags%2F3.4.8",[1123],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1125,"download_url":1126,"svn_tag_url":1127,"released_at":39,"has_diff":50,"diff_files_changed":1128,"diff_lines":39,"trac_diff_url":1129,"vulnerabilities":1130,"is_current":50},"3.4.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.4.7.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.4.7\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fsimple-jwt-login%2Ftags%2F3.4.6&new_path=%2Fsimple-jwt-login%2Ftags%2F3.4.7",[1131],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":1133,"download_url":1134,"svn_tag_url":1135,"released_at":39,"has_diff":50,"diff_files_changed":1136,"diff_lines":39,"trac_diff_url":39,"vulnerabilities":1137,"is_current":50},"3.4.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.4.6.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsimple-jwt-login\u002Ftags\u002F3.4.6\u002F",[],[1138],{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6}]