[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNi1MDbFnQKGmulIjGV6D5gUavNQj5DGvOKRxH79Wwa8":3,"$fTFYEMp7OZgbf0GhDlQKmXvp5mbCo3bFG8-FynwzfPCc":196,"$fqSzriTWXmb49w2vD61ihp0yA-OOWWi0tHE3SkoWtdTI":201},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":22,"download_link":23,"security_score":24,"vuln_count":11,"unpatched_count":11,"last_vuln_date":25,"fetched_at":26,"discovery_status":27,"vulnerabilities":28,"developer":29,"crawl_stats":25,"alternatives":36,"analysis":134,"fingerprints":174},"site-grid-connector","Site Grid Connector","7.0","Hibiscus Technolab","https:\u002F\u002Fprofiles.wordpress.org\u002Fhibiscustechnolab\u002F","\u003Cp>Site Grid Connector securely connects your WordPress site with the Site Grid platform, allowing centralized monitoring, updates, and synchronization.Manage multiple WordPress sites through a single dashboard\u003C\u002Fp>\n\u003Cp>The plugin provides the following core features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Secure REST API endpoints for site communication\u003C\u002Fli>\n\u003Cli>Plugin, theme, and WordPress core update management\u003C\u002Fli>\n\u003Cli>Site status and health reporting\u003C\u002Fli>\n\u003Cli>Full site synchronization for updates\u003C\u002Fli>\n\u003Cli>Token-based authentication for secure access\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>After installation, the plugin automatically registers REST API endpoints that allow authorized systems to retrieve site data and perform updates securely.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Cp>Once connected, Site Grid can:\u003Cbr \u002F>\n– Fetch plugin, theme, and core status\u003Cbr \u002F>\n– Perform authorized updates\u003Cbr \u002F>\n– Sync site data securely\u003C\u002Fp>\n\u003Ch3>Short Description\u003C\u002Fh3>\n\u003Cp>The WP Site Grid Connector plugin is designed to securely link your WordPress installation with wpsitegrid.com\u003C\u002Fp>\n","The Site Grid Connector plugin is designed to securely link your WordPress installation with wpsitegrid.com. Manage multiple Wordpress sites through a &hellip;",0,92,"2026-03-20T15:26:00.000Z","6.9.4","5.8","",[18,19,20,21],"api","managewp","token","wpsitegrid","https:\u002F\u002Fwpsitegrid.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsite-grid-connector.7.0.zip",100,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":30,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":32,"avg_security_score":24,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"hibiscustechnolab",3,10,30,94,"2026-05-20T04:50:01.024Z",[37,59,80,102,118],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":24,"num_ratings":47,"last_updated":48,"tested_up_to":14,"requires_at_least":49,"requires_php":50,"tags":51,"homepage":56,"download_link":57,"security_score":34,"vuln_count":31,"unpatched_count":11,"last_vuln_date":58,"fetched_at":26},"simple-jwt-login","Simple JWT Login – Allows you to use JWT on REST endpoints.","3.6.5","Nicu Micle","https:\u002F\u002Fprofiles.wordpress.org\u002Fnicu_m\u002F","\u003Cp>Simple JWT Login is a \u003Cstrong>FREE\u003C\u002Fstrong> WordPress plugin that enables secure authentication for your WordPress REST API using \u003Cstrong>JSON Web Tokens\u003C\u002Fstrong> (JWT).\u003C\u002Fp>\n\u003Cp>With this powerful plugin, you can:\u003Cbr \u002F>\n– Log in, register, and authenticate users effortlessly\u003Cbr \u002F>\n– Connect mobile apps, external websites, or third-party services to WordPress with ease\u003Cbr \u002F>\n– Change or delete user passwords securely\u003C\u002Fp>\n\u003Cp>Whether you’re building a headless WordPress setup or integrating with external platforms, Simple JWT Login provides a fast, secure, and reliable authentication solution.\u003C\u002Fp>\n\u003Cp>You can read more on our plugin documentation website \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\" rel=\"nofollow ugc\">https:\u002F\u002Fsimplejwtlogin.com\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Some awesome features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Auto-login using JWT and AUTH_KEY\u003C\u002Fli>\n\u003Cli>Register new users via API\u003C\u002Fli>\n\u003Cli>Delete WordPress users based on a JWT\u003C\u002Fli>\n\u003Cli>Reset user password\u003C\u002Fli>\n\u003Cli>Allow auto-login \u002F register \u002F delete users only from specific IP addresses\u003C\u002Fli>\n\u003Cli>Allow register users only from a specific domain name\u003C\u002Fli>\n\u003Cli>API Route for generating new JWT\u003C\u002Fli>\n\u003Cli>Get JWT from URL, SESSION, COOKIE or HEADER\u003C\u002Fli>\n\u003Cli>Pass request parameters to login URL\u003C\u002Fli>\n\u003Cli>CORS settings for plugin Routes\u003C\u002Fli>\n\u003Cli>Hooks\u003C\u002Fli>\n\u003Cli>JWT Authentication\u003C\u002Fli>\n\u003Cli>Allow access private endpoints with JWT\u003C\u002Fli>\n\u003Cli>Protect endpoints with JWT\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> Google OAuth Integration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> Google JWT on all endpoints\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-graphql\u002F\" rel=\"ugc\">WPGraphQL\u003C\u002Fa> integration\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Check the plugin \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\" rel=\"nofollow ugc\">website\u003C\u002Fa> for more features.\u003C\u002Fp>\n\u003Ch3>Login User\u003C\u002Fh3>\n\u003Cp>This plugin is customizable and offers you multiple methods to log in to you website, based on multiple scenarios.\u003C\u002Fp>\n\u003Cp>In order to login, users have to send JWT. The plugin, validates the JWT, and if everything is OK, it can extract the WordPress email address or user ID.\u003Cbr \u002F>\nUsers can specify the exact key of the JWT payload where this information can be found.\u003C\u002Fp>\n\u003Cp>Here are the methods how you can send the JWT in order to auto-login:\u003C\u002Fp>\n\u003Col>\n\u003Cli>URL\u003C\u002Fli>\n\u003Cli>Header\u003C\u002Fli>\n\u003Cli>Cookie\u003C\u002Fli>\n\u003Cli>Session\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>If the JWT is present in multiple places ( like URL and Header), the JWT will be overwritten.\u003C\u002Fp>\n\u003Cp>This plugin supports multiple JWT Decryption algorithms, like: HS256, HS512, HS384, RS256,RS384 and RS512.\u003C\u002Fp>\n\u003Cp>After the user is logged in you can automatically redirect the user to a page like:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Dashboard\u003C\u002Fli>\n\u003Cli>Homepage\u003C\u002Fli>\n\u003Cli>or any other custom Page ( this is mainly used for redirecting users to a landing page)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can attach to your redirect a URL parameter \u003Ccode>redirectUrl\u003C\u002Fcode> that will be used for redirect instead of the defined ones.\u003Cbr \u002F>\nIn order to use this, you have to enable it by checking the option \u003Ccode>Allow redirect to a specific URL\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>Also, redirect after login offers some variables that you can use in the customURL and redirectUrl.\u003Cbr \u002F>\nHere are the variables which you can use in your URL:\u003Cbr \u002F>\n– \u003Ccode>{{site_url}}\u003C\u002Fcode> : Site URL\u003Cbr \u002F>\n– \u003Ccode>{{user_id}}\u003C\u002Fcode> : Logged in user ID\u003Cbr \u002F>\n– \u003Ccode>{{user_email}}\u003C\u002Fcode> : Logged in user email\u003Cbr \u002F>\n– \u003Ccode>{{user_login}}\u003C\u002Fcode> : Logged in username\u003Cbr \u002F>\n– \u003Ccode>{{user_first_name}}\u003C\u002Fcode> : User first name\u003Cbr \u002F>\n– \u003Ccode>{{user_last_name}}\u003C\u002Fcode> : User last name\u003Cbr \u002F>\n– \u003Ccode>{{user_nicename}}\u003C\u002Fcode> : User nice name\u003C\u002Fp>\n\u003Cp>You can generate dynamic URLs with these variables, and, before the redirect, the specific value will be replaced.\u003C\u002Fp>\n\u003Cp>Here is an example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>http:\u002F\u002Fyourdomain.com?param1={{user_id}}&param2={{user_login}}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, this plugin allows you to limit the auto-login based on the client IP address.\u003Cbr \u002F>\nIf you are concerned about security, you can limit the auto-login only from some IP addresses.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fautologin\u002F\" rel=\"nofollow ugc\">Read more\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Register Users\u003C\u002Fh3>\n\u003Cp>This plugin also allows you to create WordPress users.\u003C\u002Fp>\n\u003Cp>This option is disabled by default, but you can enable it at any time.\u003C\u002Fp>\n\u003Cp>In order to create users, you just have to make a POST request to the route URL, and send an \u003Cem>email\u003C\u002Fem> and a \u003Cem>password\u003C\u002Fem> as parameter and the new user will be created.\u003C\u002Fp>\n\u003Cp>You can select the type for the new users: editor, author, contributor, subscriber, etc.\u003C\u002Fp>\n\u003Cp>Also, you can limit the user creating only for specific IP addresses, or  specific email domains.\u003C\u002Fp>\n\u003Cp>Another cool option is “Generate a random password when a new user is created”.\u003Cbr \u002F>\nIf this option is selected, the password is no more required when a new user is created a random password will be generated.\u003C\u002Fp>\n\u003Cp>Another option that you have for register user is “Initialize force login after register”.\u003Cbr \u002F>\nWhen the user registration is completed, the user will continue on the flow configured on login config.\u003C\u002Fp>\n\u003Cp>If auto-login is disabled, this feature will not work and the register user will go on a normal flow and return a json response.\u003C\u002Fp>\n\u003Cp>If you want to add custom user_meta on user creation, just add the parameter \u003Ccode>user_meta\u003C\u002Fcode> with a json. This will create user_meta for the new user.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n    \"meta_key\":\"meta_value\",\n    \"meta_key2\":\"meta_value\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>These properties can be passed in the request when the new user is created.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>email\u003C\u002Fstrong> : (required) (string)  The user email address.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>password\u003C\u002Fstrong> :  (required) (string) The plain-text user password.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_login\u003C\u002Fstrong> : (string) The user’s login username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_nicename\u003C\u002Fstrong> : (string) The URL-friendly username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_url\u003C\u002Fstrong> : (string) The user URL.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>display_name\u003C\u002Fstrong> : (string) The user’s display name. Default is the user’s username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>nickname\u003C\u002Fstrong> : (string) The user’s nickname. Default is the user’s username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>first_name\u003C\u002Fstrong> : (string) The user’s first name. For new users, will be used to build the first part of the user’s display name if $display_name is not specified.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>last_name\u003C\u002Fstrong> : (string) The user’s last name. For new users, will be used to build the second part of the user’s display name if $display_name is not specified.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>description\u003C\u002Fstrong> : (string) The user’s biographical description.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>rich_editing\u003C\u002Fstrong> : (string) Whether to enable the rich-editor for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>syntax_highlighting\u003C\u002Fstrong> : (string) Whether to enable the rich code editor for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>comment_shortcuts\u003C\u002Fstrong> : (string) Whether to enable comment moderation keyboard shortcuts for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘false’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>admin_color\u003C\u002Fstrong> : (string) Admin color scheme for the user. Default ‘fresh’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>use_ssl\u003C\u002Fstrong> : (bool) Whether the user should always access the admin over https. Default false.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_registered\u003C\u002Fstrong> : (string) Date the user registered. Format is \u003Ccode>Y-m-d H:m:s\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_activation_key\u003C\u002Fstrong> : (string) Password reset key. Default empty.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>spam\u003C\u002Fstrong> : (bool) Multisite only. Whether the user is marked as spam. Default false.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>show_admin_bar_front\u003C\u002Fstrong> : (string) Whether to display the Admin Bar for the user on the site’s front end. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>locale\u003C\u002Fstrong> : (string) User’s locale. Default empty.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fregister-user\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Delete User\u003C\u002Fh3>\n\u003Cp>Delete user it is disabled by default.\u003C\u002Fp>\n\u003Cp>In order to delete a user, you have to configure where to search the details in the JWT.\u003Cbr \u002F>\nYou can delete users by WordPress User ID or by Email address.\u003C\u002Fp>\n\u003Cp>Also, you have to choose the JWT parameter key where email or user ID it is stored in the JWT.\u003C\u002Fp>\n\u003Cp>Also, you can limit the deletion of users to specific IP addresses for security reasons.\u003C\u002Fp>\n\u003Ch3>Reset Password\u003C\u002Fh3>\n\u003Cp>Reset password and change password endpoints are disabled by default.\u003C\u002Fp>\n\u003Cp>This plugin allows you to send the reset password endpoint, just by calling an endpoint. An email with the code will be sent to a specific email address.\u003C\u002Fp>\n\u003Cp>Also, you are able to customize this email, or even not send at email at all.\u003C\u002Fp>\n\u003Cp>The change password endpoint, changes the user password, based on the reset password code.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fdelete-user\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Authentication\u003C\u002Fh3>\n\u003Cp>This plugin allows users to generate JWT tokens based from WordPress user email and password.\u003C\u002Fp>\n\u003Cp>In order to Get a new JWT, just make a POST request to \u003Cem>\u002Fauth\u003C\u002Fem> route with your WordPress email(or username) and password ( or password_hash) and the response will look something like this:\u003C\u002Fp>\n\u003Cpre>\u003Ccode> {\n     \"success\": true,\n     \"data\": {\n         \"jwt\": \"NEW_GENERATED_JWT_HERE\"\n     }\n }\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If you want to add extra parameters in the JWT payload, just send the parameter \u003Ccode>payload\u003C\u002Fcode> on \u003Ccode>\u002Fauth\u003C\u002Fcode> endpoint, and add a json with the values you want to be added in the payload.\u003C\u002Fp>\n\u003Cp>At some point, the JWT will expire.\u003Cbr \u002F>\nSo, if you want to renew it without having to ask again for user and password, you will have to make a POST request to the \u003Cem>auth\u002Frefresh\u003C\u002Fem> route.\u003C\u002Fp>\n\u003Cp>This will generate a response with a new JWT, similar to the one that \u003Ccode>\u002Fauth\u003C\u002Fcode> generates.\u003C\u002Fp>\n\u003Cp>If you want to get some details about a JWT, and validate that JWT, you can call \u003Ccode>\u002Fauth\u002Fvalidate\u003C\u002Fcode>. If you have a valid JWT, details about the available WordPress user will be returned, and some JWT details.\u003C\u002Fp>\n\u003Cp>If you want to revoke a JWT, access \u003Ccode>\u002Fauth\u002Frevoke\u003C\u002Fcode> and send the \u003Ccode>jwt\u003C\u002Fcode> as a parameter.\u003C\u002Fp>\n\u003Cp>The plugin auto-generates the example URL you might need to test these scenarios.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fauthentication\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Auth codes\u003C\u002Fh3>\n\u003Cp>Auth codes are optional, but you can enable them for Auto-login, Register User and Delete user.\u003C\u002Fp>\n\u003Cp>This feature allows you to add a layer of protection to your API routes.\u003C\u002Fp>\n\u003Cp>The Auth codes contains 3 parts:\u003Cbr \u002F>\n1. Authentication Key: This is the actual code that you have to add in the request.\u003Cbr \u002F>\n2. WordPress new User Role: can be used when you want to create multiple user types with the create user endpoint. If you leave it blank, the value configured in the ‘Register Settings’ will be used.\u003Cbr \u002F>\n3. Expiration Date: This allows you to set an expiration date for you auth codes. The format is `Y-M-D H:m:s’. Example : 2020-12-24 23:00:00. If you leave it blank, it will never expire.\u003C\u002Fp>\n\u003Cp>Expiration date format: year-month-day hours:minutes:seconds\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fauth-codes\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Hooks\u003C\u002Fh3>\n\u003Cp>This plugin allows advanced users to link some hooks with the plugin and perform some custom scripts.\u003Cbr \u002F>\nSome available hooks:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_login_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user\u003C\u002Fli>\n\u003Cli>description: This hook it is called after the user has been logged in. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_redirect_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: string $url, array $request\u003C\u002Fli>\n\u003Cli>description: This hook it is called before the user it will be redirected to the page he specified in the login section. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_register_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user, string $plain_text_password\u003C\u002Fli>\n\u003Cli>description: This hook it is called after a new user has been created.  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_delete_user_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user\u003C\u002Fli>\n\u003Cli>description: This hook it is called right after the user has been deleted.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_jwt_payload_auth\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: array $payload, array $request\u003C\u002Fli>\n\u003Cli>return: array $payload\u003C\u002Fli>\n\u003Cli>description: This hook is called on \u002Fauth endpoint. Here you can modify payload parameters. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_no_redirect_message\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: array $payload, array $request\u003C\u002Fli>\n\u003Cli>return: array $payload\u003C\u002Fli>\n\u003Cli>description: This hook is called on \u002Fautologin endpoint when the option \u003Ccode>No Redirect\u003C\u002Fcode> is selected. You can customize the message and add parameters.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_reset_password_custom_email_template\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: string $template, array $request\u003C\u002Fli>\n\u003Cli>return: string $template\u003C\u002Fli>\n\u003Cli>description: This is executed when POST \u002Fuser\u002Freset_password is called. It will replace the email template that has been added in Reset Password settings  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>View full list of hooks on \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fhooks\" rel=\"nofollow ugc\">https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fhooks\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>CORS\u003C\u002Fh3>\n\u003Cp>The CORS standard it is needed because it allows servers to specify who can access its assets and how the assets can be accessed.\u003Cbr \u002F>\nCross-origin requests are made using the standard HTTP request methods like GET, POST, PUT, DELETE, etc.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fcors\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Protect endpoints\u003C\u002Fh3>\n\u003Cp>This option is disabled by default. In order to enable it, you need to set “Protect endpoints enabled” to true.\u003C\u002Fp>\n\u003Cp>This feature comes with 2 actions:\u003Cbr \u002F>\n– Apply on All REST Endpoints\u003Cbr \u002F>\n– Apply only on specific REST endpoints\u003C\u002Fp>\n\u003Cp>When you choose \u003Ccode>Apply on All REST Endpoints\u003C\u002Fcode>, you will be able to whitelist some endpoints from your WordPress REST by adding them to the whitelist section.\u003Cbr \u002F>\nFor example, If you only want to allow users to access the \u003Ccode>wp\u002Fv2\u002Fposts\u003C\u002Fcode> endpoint without having to provide the JWT, you save in the whitelist section \u003Ccode>wp\u002Fv2\u002Fposts\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>When you choose \u003Ccode>Apply only on specific endpoints\u003C\u002Fcode>, you will have to add all the endpoints you want to be protected by JWT.\u003C\u002Fp>\n\u003Cp>When an endpoint is protected, and you don’t provide a JWT, you will get the following response:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n   \"success\":false,\n   \"data\":{\n      \"message\":\"Your are not authorized to access this endpoint.\",\n      \"errorCode\":403,\n      \"type\":\"simple-jwt-login-route-protect\"\n   }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fprotect-endpoints\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Integration\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>PHP\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>In order to easily integrate your app\u002Fsite with simple-jwt-login, we have developed a composer package.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>composer require nicumicle\u002Fsimple-jwt-login-client-php\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can check the \u003Ca href=\"https:\u002F\u002Fpackagist.org\u002Fpackages\u002Fnicumicle\u002Fsimple-jwt-login-client-php\" rel=\"nofollow ugc\">package page\u003C\u002Fa> for more details and code examples.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Javascript\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Also, there is a \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsimple-jwt-login\u002Fjs-sdk\" rel=\"nofollow ugc\">Javascript SDK\u003C\u002Fa> that you can install with \u003Ccode>npm\u003C\u002Fcode> or \u003Ccode>yarn\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>npm install \"simple-jwt-login\"\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>or\u003C\u002Fp>\n\u003Cpre>\u003Ccode>yarn add \"simple-jwt-login\"\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Enhance the WordPress REST API with JWT authentication for secure access by mobile apps, external sites, and third-party services.",5000,82994,46,"2026-03-14T06:23:00.000Z","4.4.0","5.5",[18,52,53,54,55],"auto-login","jwt","register","tokens","https:\u002F\u002Fsimplejwtlogin.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.6.5.zip","2025-09-22 00:00:00",{"slug":60,"name":61,"version":62,"author":63,"author_profile":64,"description":65,"short_description":66,"active_installs":67,"downloaded":68,"rating":24,"num_ratings":69,"last_updated":70,"tested_up_to":14,"requires_at_least":71,"requires_php":72,"tags":73,"homepage":16,"download_link":77,"security_score":24,"vuln_count":78,"unpatched_count":11,"last_vuln_date":79,"fetched_at":26},"api-bearer-auth","API Bearer Auth","20200916","michielve","https:\u002F\u002Fprofiles.wordpress.org\u002Fmichielve\u002F","\u003Cp>The API Bearer Auth plugin enables authentication for the REST API by using JWT access an refresh tokens. After the user logs in, the access and refresh tokens are returned and can be used for the next requests. Issued tokens can be revoked from within the users admin screen. See below for the endpoints.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note that after activating this plugin, all REST API endpoints will need to be authenticated, unless the endpoint is whitelisted in the \u003Ccode>api_bearer_auth_unauthenticated_urls\u003C\u002Fcode> filter (see FAQ for how to use this filter).\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch4>JWT\u003C\u002Fh4>\n\u003Cp>Access tokens can be formatted as JWT tokens. For this to work, you first have to create a secret and add it to the wp-config.php file. If you don’t do this, access tokens will work also, but are just random strings. To create a random secret key, you can do for example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>base64_encode(openssl_random_pseudo_bytes(64));\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>And then add the result to wp-config:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('API_BEARER_JWT_SECRET', 'mysecretkey');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If you have problems, you can verify your JWT tokens at: \u003Ca href=\"https:\u002F\u002Fjwt.io\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fjwt.io\u002F\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Revoke tokens\u003C\u002Fh4>\n\u003Cp>This plugin adds a column to the users table in de admin where you can see when a token expires. You can also revoke tokens by selection the “Revoke API tokens” from the bulk actions select box.\u003C\u002Fp>\n\u003Ch4>API endpoints\u003C\u002Fh4>\n\u003Cp>Note that all endpoints \u003Cstrong>expect JSON in the POST body\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Login\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Endpoint:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fapi-bearer-auth\u002Fv1\u002Flogin\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Request body:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note: \u003Ccode>client_name\u003C\u002Fcode> is optional. But if you use it, make sure to use it as well for the refresh call!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\"username\": \"my_username\", \"password\": \"my_password\", \"client_name\": \"my_app\"}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Response:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"wp_user\": {\n    \"data\": {\n      \"ID\": 1,\n      \"user_login\": \"your_user_login\",\n      \u002F\u002F other default WordPress user fields\n    }\n  },\n  \"access_token\": \"your_access_token\",\n  \"expires_in\": 86400, \u002F\u002F number of seconds\n  \"refresh_token\": \"your_refresh_token\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Make sure to save the access and refresh token!\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Refresh access token\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Endpoint:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>POST \u002Fapi-bearer-auth\u002Fv1\u002Ftokens\u002Frefresh\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Request body:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note: \u003Ccode>client_name\u003C\u002Fcode> is optional. But if you did use it for the login call, make sure to use it here as well!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\"token\": \"your_refresh_token\", \"client_name\": \"my_app\"}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Response success:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"access_token\": \"your_new_access_token\",\n  \"expires_in\": 86400\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Response when sending a wrong refresh token is a 401:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"api_api_bearer_auth_error_invalid_token\",\n  \"message\": \"Invalid token.\",\n  \"data\": {\n    \"status\": 401\n  }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Do a request\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>After you have the access token, you can make requests to authenticated endpoints  with an Authorization header like this:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Authorization: Bearer \u003Cyour_access_token>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Note that Apache sometimes strips out the Authorization header. If this is the case, make sure to add this to the .htaccess file:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteCond %{HTTP:Authorization} ^(.*)\n# Don't know why, but some need the line below instead of the RewriteRule line\n# SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If you are not logged in or you send an invalid access token, you get a 401 response:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n  \"code\": \"api_bearer_auth_not_logged_in\",\n  \"message\": \"You are not logged in.\",\n  \"data\": {\n    \"status\": 401\n  }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Important update\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Update immediately if you’re using a version below 20200807. Before this version all access tokens were updated when calling the refresh callback.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>If you are affected by this the fastest solution is to execute this query:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>update wp_user_tokens set access_token_valid = NOW();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>This will invalidate all access tokens. This means that all users need to refresh their access token and will get a new access token and a unique one this time.\u003C\u002Fp>\n\u003Cp>A big thank to @harchvertelol for reporting this and suggesting the fix as well!\u003C\u002Fp>\n","Access and refresh tokens based authentication plugin for the REST API.",300,23631,6,"2025-12-08T09:52:00.000Z","4.6","5.4.0",[18,74,53,75,76],"authentication","jwt-tokens","rest-api","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fapi-bearer-auth.zip",1,"2019-09-05 00:00:00",{"slug":81,"name":82,"version":83,"author":84,"author_profile":85,"description":86,"short_description":87,"active_installs":88,"downloaded":89,"rating":24,"num_ratings":90,"last_updated":91,"tested_up_to":14,"requires_at_least":92,"requires_php":93,"tags":94,"homepage":98,"download_link":99,"security_score":100,"vuln_count":78,"unpatched_count":11,"last_vuln_date":101,"fetched_at":26},"login-register-using-jwt","WP Login and Register using JWT","3.2.0","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cp>The \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-login-using-jwt-single-sign-on-sso\" rel=\"nofollow ugc\">WordPress Login and Register using JWT plugin\u003C\u002Fa>\u003C\u002Fstrong> allows you to \u003Cstrong>log in (Single Sign-On)\u003C\u002Fstrong> into your WordPress application using the \u003Cstrong>JWT token(JSON Web token)\u003C\u002Fstrong> obtained from any other WordPress site or other applications\u002Fplatforms including mobile applications. This helps users perform \u003Cstrong>autologin to WordPress\u003C\u002Fstrong> and \u003Cstrong>synchronize user sessions\u003C\u002Fstrong> without the need to log in again.\u003C\u002Fp>\n\u003Cp>|\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-login-using-jwt-single-sign-on-sso\" rel=\"nofollow ugc\"> Features \u003C\u002Fa>| \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-single-sign-on-using-jwt-token\" rel=\"nofollow ugc\"> WordPress JWT Login Setup Guide \u003C\u002Fa>|\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\u002Fplaylist?list=PL2vweZ-PcNpevdcrVhs_dQ3qOxc0102wI\" rel=\"nofollow ugc\"> Videos \u003C\u002Fa>|\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WORDPRESS SINGLE SIGN-ON \u002F SSO ( LOGIN INTO WORDPRESS )\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cstrong>WordPress Single Sign-On SSO\u003C\u002Fstrong> also simply called \u003Cstrong>WordPress SSO\u003C\u002Fstrong> allows you to login into WordPress using the credentials of other platforms. So, the user will just use a single set of credentials to log in to multiple applications.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WordPress Single Sign-On \u002F SSO using JWT(JSON Web Token)\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cstrong>WordPress Single Sign-On (SSO) with JWT\u003C\u002Fstrong> allows you to log into the WordPress site using the user-based JWT token obtained externally when the user authenticates for the first time in any connected external application.\u003Cbr \u002F>\nThe JWT token authentication is the most popular way of authentication nowadays as it is a secure and lightweight protocol. The JWT token can be obtained either when a user logs into other platforms via \u003Cstrong>\u003Ca href=\"https:\u002F\u002Foauth.net\u002F\" rel=\"nofollow ugc\">OAuth\u003C\u002Fa>\u002F\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fconnect\u002F\" rel=\"nofollow ugc\">OpenID Connect\u003C\u002Fa>\u003C\u002Fstrong> protocol or can be created explicitly using the user information and secure algorithms.\u003Cbr \u002F>\nWith this plugin, you can easily use the user-based JWT token to log a user in rather than asking them to authenticate again.\u003C\u002Fp>\n\u003Cp>\u003Cem>Let’s take an example\u003C\u002Fem> – If you have a WordPress site and mobile app, now if you are logged into the mobile app, now if you try to access the WordPress site, then to access the particular content, the WordPress site will ask for login again and which is not feasible, so with the JWT SSO (JWT Single Sign-On), you can create the JWT token for the user who is already logged into the mobile app and then on accessing the WordPress site, you can pass that JWT token in the request, using which the same user can authenticate and autologin to the WordPress site and hence won’t need to enter the credentials again.\u003C\u002Fp>\n\u003Cp>It supports possibly all kinds of \u003Cstrong>JWT tokens (access-token\u002Fid-token)\u003C\u002Fstrong> obtained from \u003Cstrong>OAuth\u002FOpenID Connect\u003C\u002Fstrong> providers like \u003Cstrong>AWS Cognito\u003C\u002Fstrong>, \u003Cstrong>Microsoft Azure AD\u003C\u002Fstrong>, \u003Cstrong>Azure B2C\u003C\u002Fstrong>, \u003Cstrong>Okta\u003C\u002Fstrong>, \u003Cstrong>Keycloak\u003C\u002Fstrong>, \u003Cstrong>ADFS\u003C\u002Fstrong>, \u003Cstrong>Google\u003C\u002Fstrong>, \u003Cstrong>Facebook\u003C\u002Fstrong>, \u003Cstrong>Apple\u003C\u002Fstrong>, \u003Cstrong>Discord\u003C\u002Fstrong> and popular applications like \u003Cstrong>Firebase\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>WordPress login using the JWT also called \u003Cstrong>JWT SSO (Single Sign-On)\u003C\u002Fstrong> can be done from other platforms and applications including mobile apps (android or IOS), an app built with other programming languages like \u003Cstrong>.NET\u003C\u002Fstrong>, \u003Cstrong>JAVA\u003C\u002Fstrong>, \u003Cstrong>PHP\u003C\u002Fstrong>, \u003Cstrong>JS\u003C\u002Fstrong> etc.\u003C\u002Fp>\n\u003Ch3>Major functionalities\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>WordPress Login Endpoint to create user-based JWT token\u003C\u002Fstrong>\u003Cbr \u002F>\nPlugin provides the following API endpoint, which can be used to authenticate WordPress users and returns a user-based JWT which can be used to create login sessions in WordPress and other external applications.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fapi\u002Fv1\u002Fmo-jwt\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>WordPress Login using JWT\u003C\u002Fstrong>\u003Cbr \u002F>\nThis feature provides a way to auto-login users in WordPress using JWT obtained in a very secure way either via passing JWT token in the URL as a parameter, in the request header or shared via secured cookies.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WordPress user register API endpoint to create users in WordPress using API\u003C\u002Fstrong>\u003Cbr \u002F>\nThis feature provides the following API endpoint to create users in WordPress in an easy way and on successful user registration, you will receive a JWT token in the response which can be used further for user login and WordPress REST API authorization.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>wp-json\u002Fapi\u002Fv1\u002Fmo-jwt-register\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Delete\u002FRemove users from WordPress using the user-based JWT token (JSON Web Token)\u003C\u002Fstrong>\u003Cbr \u002F>\nThis feature provides an API endpoint using which you can pass the JWT token and can easily delete the user and revoke access.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>wp-json\u002Fapi\u002Fv1\u002Fmo-jwt-delete\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>More details for the plugin setup can be checked from \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-single-sign-on-using-jwt-token\" rel=\"nofollow ugc\">here\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch3>USE CASES\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Login to External applications using WordPress credentials\u003C\u002Fstrong>\u003Cbr \u002F>\nIf you are looking to authenticate your WordPress users to log in to external applications, then our plugin provides a login API endpoint using which you can easily authenticate WordPress users and can log in the users to those applications.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Single Sign-On Users using the JWT token provided by OAuth\u002FOpenID providers\u003C\u002Fstrong>\u003Cbr \u002F>\nThis WordPress login and register using the JWT plugin supports the WordPress Single Sign On (WordPress SSO) or WordPress login using the user-based JWT token (id-token\u002Faccess-token) provided by the external OAuth\u002FOpenID Connect providers (like Microsoft Azure AD, Azure B2C, AWS Cognito, Keycloak, Okta, ADFS, Google, Facebook, Apple, Discord and many more..) on login in some other sites\u002Fapplications using their credentials.\u003Cbr \u002F>\nSo, the user just needs to log in once on any other sites\u002Fplatforms and a JWT token will be provided by these providers for those users will then be used further with security to autologin in other platforms.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FRR0o80hGvfU?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Automatic WordPress login and site access from mobile app web view | Synchronize WordPress session in the mobile app web view\u003C\u002Fstrong>\u003Cbr \u002F>\nSuppose you have a mobile application and want to allow users to access their WordPress site content in the mobile app web view which requires a login so asking the users to enter the credentials again won’t be a good user experience. So, our JWT login plugin provides a solution to you in which the user session from the mobile app can be synchronized with the WordPress site and the user can seamlessly access the WordPress site using the user-based JWT token without the need for a WordPress login again.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002F0QPIjelCWvk?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Automatic session synchronization between WordPress and other applications built on React, Node, Next JS, Flutter, Angular, Java, PHP, and C# ….\u003C\u002Fstrong>\u003Cbr \u002F>\nSuppose you have a WordPress site connected to any external application built on any framework, then if you want a feature that if a user is logged in to any one application, should be automatically logged in to another as well. This can be easily achieved using the secure JWT.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FOMH_FY-xh8Q?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Session sharing between WordPress and other applications sharing the same subdomain (hosted on the same domain)\u003C\u002Fstrong>\u003Cbr \u002F>\nSuppose you have a WordPress site and other applications hosted on the same subdomain, such that if the user logs in to any one application, then can be auto-logged into other connected applications on that domain using secure cookie-based JWT token sharing.\u003Cbr \u002F>\nan pass the new user details like username, email, name and password(optional), role etc. in the request body and on successful response, your user will get created and the corresponding user-based JWT will be received and the appropriate error response will be returned on the failure.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FLr9spH2PPeY?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent&listType=playlist&list=PL2vweZ-PcNpevdcrVhs_dQ3qOxc0102wI\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Sync user login sessions between multiple platforms (Session sharing)\u003C\u002Fstrong>\u003Cbr \u002F>\nIf you have a WordPress site and other applications sharing the same subdomain and you want the feature in which if a user logged into one site (WordPress or another) and on accessing the other site in the same browser, then that user should get logged in automatically (user session to be synchronized). So, this feature is possible to have with our plugin’s JWT cookie-based session-sharing feature.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cp>FREE PLAN\u003C\u002Fp>\n\u003Cp>\u003Cem>Create JWT feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Login API endpoint\u003C\u002Fstrong> to authenticate WordPress users based on username\u002Femail and password\u003C\u002Fli>\n\u003Cli>Supports the JWT token generation using the \u003Cstrong>HS256 signing algorithm\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>JWT token signing with randomly generated secret signing key.\u003C\u002Fli>\n\u003Cli>Default JWT \u003Cstrong>token expiration\u003C\u002Fstrong> is 60 minutes.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Registration feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user registration with the default subscriber role.\u003C\u002Fli>\n\u003Cli>Provide a user-based JWT token in the success response.\u003C\u002Fli>\n\u003Cli>No Extra Security key for user registration API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Deletion feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user deletion with JWT token validation using the HS256 signing algorithm.\u003C\u002Fli>\n\u003Cli>No Extra Security key for user deletion API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User login feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Allows WordPress login (SSO) using a user-based JWT token with HS256 signing created using the plugin’s Create JWT feature.\u003C\u002Fli>\n\u003Cli>Retrieve the JWT token from the URL parameter to allow auto-login.\u003C\u002Fli>\n\u003Cli>Auto redirection on login to the homepage or on the same page\u002FURL from where the autologin is initiated.\u003C\u002Fli>\n\u003Cli>Default Subscriber role is assigned on login using JWT.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>PREMIUM PLAN\u003C\u002Fp>\n\u003Cp>\u003Cem>Create JWT feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Supports JWT token generation using \u003Cstrong>HS256\u003C\u002Fstrong> and a securer \u003Cstrong>RS256 signing algorithm\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>JWT token signing with a \u003Cstrong>custom secret signing key or certificate\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>Custom token expiration to expire the token as per your requirement to improvise security.\u003C\u002Fli>\n\u003Cli>Custom JWT token decryption key.\u003C\u002Fli>\n\u003Cli>Revoke and invalidate existing user JWT token whenever a new JWT token is generated for a user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Registration feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user registration with a custom role.\u003C\u002Fli>\n\u003Cli>Provide a user-based JWT token in the success response.\u003C\u002Fli>\n\u003Cli>Extra Security key for user registration API endpoint.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Deletion feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user deletion with JWT token validation using the HS256 signing algorithm.\u003C\u002Fli>\n\u003Cli>Extra Security key for user deletion API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User login feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Allows WordPress login (SSO) using a user-based JWT with HS256 signing created either using plugins create JWT feature or a JWT token obtained from an external source.\u003C\u002Fli>\n\u003Cli>Allows WordPress login using a user-based JWT with RS256 signing validation.\u003C\u002Fli>\n\u003Cli>Allows WordPress login using a user-based JWT with \u003Cstrong>JWKS token validation\u003C\u002Fstrong> support.\u003C\u002Fli>\n\u003Cli>Allows WordPress login using a user-based JWT obtained from an external \u003Cstrong>OAuth\u002FOpenID Connect\u003C\u002Fstrong> provider.\u003C\u002Fli>\n\u003Cli>Retrieve the JWT token from the \u003Cstrong>URL parameter\u003C\u002Fstrong>, \u003Cstrong>request header\u003C\u002Fstrong> and \u003Cstrong>cookie\u003C\u002Fstrong> to allow auto-login between platforms.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto redirection\u003C\u002Fstrong> on login to the homepage or on the same page\u002FURL from where the autologin is initiated.\u003C\u002Fli>\n\u003Cli>Auto redirection on login to any custom URL.\u003C\u002Fli>\n\u003Cli>User \u003Cstrong>Attribute\u002FProfile\u003C\u002Fstrong> mapping on SSO login.\u003C\u002Fli>\n\u003Cli>Option to assign any WordPress role rather than default subscriber on SSO login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Automatic role and group Mapping\u003C\u002Fstrong> to the user who performs SSO using a JWT token.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>SSO Login Audit feature\u003C\u002Fstrong> to track the users who perform login using the JWT token.\u003C\u002Fli>\n\u003Cli>Add-On to \u003Cstrong>share the user session to other applications\u003C\u002Fstrong> using the JWT token stored in the cookie\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Other Related Integrations\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fminiorange-login-with-eve-online-google-facebook\u002F\" rel=\"ugc\">OAuth Single Sign On – SSO (OAuth Client)\u003C\u002Fa>\u003C\u002Fstrong> – This plugin allows Single Sign On – SSO login in your WordPress site using external OAuth 2.0, OpenID Connect Providers\u003C\u002Fp>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fminiorange-api-20-single-sign-on\u002F\" rel=\"ugc\">api Single Sign On – SSO Login\u003C\u002Fa>\u003C\u002Fstrong> – This plugin allows Single Sign On – SSO login in your WordPress site using external api, WS-FED Providers\u003C\u002Fp>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-rest-api-authentication\u002F\" rel=\"ugc\">WordPress REST API Authentication\u003C\u002Fa>\u003C\u002Fstrong> – This plugin protects your WordPress REST API endpoints from unauthorized access using secure \u003Cstrong>OAuth 2.0\u003C\u002Fstrong>, \u003Cstrong>JWT authentication\u003C\u002Fstrong>, \u003Cstrong>Basic authentication\u003C\u002Fstrong>, \u003Cstrong>Bearer API Key token\u003C\u002Fstrong> and even more.\u003C\u002Fp>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin does not store any user data. This plugin uses login.xecurify.com for registration as miniOrange uses login.xecurify.com if the user chooses to register and upgrade to premium. If the user does not want to register then he can continue using the free plugin. (Link to the privacy policy –  https:\u002F\u002Fwww.miniorange.com\u002Fprivacy-policy.pdf )\u003C\u002Fp>\n","WordPress login (WordPress Single Sign-On) using JWT token obtained from other WordPress sites or any other application. Synchronize user sessions bet &hellip;",200,8460,5,"2025-12-11T10:14:00.000Z","3.0.1","5.6",[18,95,53,96,97],"json-web-token","login","single-sign-on","http:\u002F\u002Fminiorange.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-register-using-jwt.3.2.0.zip",99,"2025-11-18 17:17:49",{"slug":103,"name":104,"version":105,"author":106,"author_profile":107,"description":108,"short_description":109,"active_installs":11,"downloaded":110,"rating":11,"num_ratings":11,"last_updated":16,"tested_up_to":111,"requires_at_least":93,"requires_php":112,"tags":113,"homepage":115,"download_link":116,"security_score":24,"vuln_count":11,"unpatched_count":11,"last_vuln_date":25,"fetched_at":117},"juanma-jwt-auth-pro","JuanMa JWT Auth Pro","1.2.1","JuanMa Garrido","https:\u002F\u002Fprofiles.wordpress.org\u002Fjuanmaguitar\u002F","\u003Cp>Unlike basic JWT plugins that use \u003Cstrong>single long-lived tokens\u003C\u002Fstrong>, JWT Auth Pro implements \u003Cstrong>modern OAuth 2.0 security best practices\u003C\u002Fstrong> with short-lived access tokens and secure refresh tokens.\u003C\u002Fp>\n\u003Ch4>Why JWT Auth Pro?\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>The Problem with Basic JWT Plugins:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Long-lived tokens (24h+) = Higher security risk\u003Cbr \u002F>\n* No refresh mechanism = Tokens live until expiry\u003Cbr \u002F>\n* XSS vulnerable = Tokens stored in localStorage\u003Cbr \u002F>\n* No revocation = Can’t invalidate compromised tokens\u003C\u002Fp>\n\u003Cp>\u003Cstrong>JWT Auth Pro Solution:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Short-lived access tokens (1h default) = Minimal attack window\u003Cbr \u002F>\n* Secure refresh tokens = HTTP-only cookies, XSS protected\u003Cbr \u002F>\n* Automatic token rotation = Fresh tokens on each refresh\u003Cbr \u002F>\n* Complete session control = Revoke any user session instantly\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Simple JWT Authentication\u003C\u002Fstrong> – Clean, stateless token-based auth\u003C\u002Fli>\n\u003Cli>\u003Cstrong>HTTPOnly Refresh Tokens\u003C\u002Fstrong> – Secure refresh tokens in HTTP-only cookies\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Rotation\u003C\u002Fstrong> – Automatic refresh token rotation for enhanced security\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CORS Support\u003C\u002Fstrong> – Proper cross-origin request handling\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Clean Admin Interface\u003C\u002Fstrong> – Simple configuration in WordPress admin\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Friendly\u003C\u002Fstrong> – Clear endpoints and documentation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security Comparison\u003C\u002Fh4>\n\u003Cp>  Feature\u003Cbr \u002F>\n  Basic JWT Plugins\u003Cbr \u002F>\n  JWT Auth Pro\u003C\u002Fp>\n\u003Cp>  Token Lifetime\u003Cbr \u002F>\n  Long (hours\u002Fdays)\u003Cbr \u002F>\n  Short (1 hour)\u003C\u002Fp>\n\u003Cp>  Refresh Tokens\u003Cbr \u002F>\n  None\u003Cbr \u002F>\n  Secure HTTP-only\u003C\u002Fp>\n\u003Cp>  XSS Protection\u003Cbr \u002F>\n  Limited\u003Cbr \u002F>\n  HTTP-only cookies\u003C\u002Fp>\n\u003Cp>  Token Revocation\u003Cbr \u002F>\n  Manual only\u003Cbr \u002F>\n  Automatic rotation\u003C\u002Fp>\n\u003Cp>  Session Management\u003Cbr \u002F>\n  None\u003Cbr \u002F>\n  Database tracking\u003C\u002Fp>\n\u003Cp>  Security Metadata\u003Cbr \u002F>\n  None\u003Cbr \u002F>\n  IP + User Agent\u003C\u002Fp>\n\u003Ch4>Perfect for:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Single Page Applications (React, Vue, Angular)\u003C\u002Fli>\n\u003Cli>Mobile Applications (iOS, Android)\u003C\u002Fli>\n\u003Cli>API Integrations (Third-party services)\u003C\u002Fli>\n\u003Cli>Headless WordPress (Decoupled architecture)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>API Endpoints\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Ftoken\u003C\u002Fcode> – Login and get access token\u003C\u002Fli>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Frefresh\u003C\u002Fcode> – Refresh access token\u003C\u002Fli>\n\u003Cli>\u003Ccode>GET \u002Fwp-json\u002Fjwt\u002Fv1\u002Fverify\u003C\u002Fcode> – Verify token and get user info\u003C\u002Fli>\n\u003Cli>\u003Ccode>POST \u002Fwp-json\u002Fjwt\u002Fv1\u002Flogout\u003C\u002Fcode> – Logout and revoke refresh token\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Stateless Authentication\u003C\u002Fstrong> – JWT tokens contain all necessary information\u003C\u002Fli>\n\u003Cli>\u003Cstrong>HTTPOnly Cookies\u003C\u002Fstrong> – Refresh tokens stored securely, inaccessible to JavaScript\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Token Rotation\u003C\u002Fstrong> – Refresh tokens automatically rotate on use\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Expiration\u003C\u002Fstrong> – Set custom expiration times\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & User Agent Tracking\u003C\u002Fstrong> – Additional security metadata\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support and documentation, visit: https:\u002F\u002Fgithub.com\u002Fjuanma-wp\u002Fjwt-auth-pro-wp-rest-api\u003C\u002Fp>\n\u003Ch3>Privacy Policy\u003C\u002Fh3>\n\u003Cp>This plugin stores user session data including IP addresses and user agent strings for security purposes. This data is used solely for authentication and security monitoring.\u003C\u002Fp>\n","Modern JWT authentication with refresh tokens - built for SPAs and mobile apps with enterprise-grade security.",124,"6.8.5","7.4",[74,53,76,114,55],"security","https:\u002F\u002Fgithub.com\u002Fjuanma-wp\u002Fjwt-auth-pro-wp-rest-api","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjuanma-jwt-auth-pro.1.2.1.zip","2026-03-15T10:48:56.248Z",{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":11,"downloaded":126,"rating":11,"num_ratings":11,"last_updated":127,"tested_up_to":128,"requires_at_least":129,"requires_php":112,"tags":130,"homepage":132,"download_link":133,"security_score":12,"vuln_count":11,"unpatched_count":11,"last_vuln_date":25,"fetched_at":26},"simple-jwt-auth","Simple JWT Auth","1.0.2","Sayan Dey","https:\u002F\u002Fprofiles.wordpress.org\u002Fsayandey18\u002F","\u003Cp>Extends the WordPress REST API using JSON Web Tokens for robust authentication and authorization.\u003C\u002Fp>\n\u003Cp>JSON Web Token (JWT) is an open standard (\u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\" rel=\"nofollow ugc\">RFC 7519\u003C\u002Fa>) that defines a compact and self-contained way for securely transmitting information between two parties.\u003C\u002Fp>\n\u003Cp>It provides a secure and reliable way to access and manage WordPress data from external applications, making it ideal for building headless CMS solutions.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Support & question: \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fsimple-jwt-auth\u002F\" rel=\"ugc\">WordPress support forum\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Reporting plugin’s bug: \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth\u002Fissues\" rel=\"nofollow ugc\">GitHub issues tracker\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Plugins GitHub Repo\u003C\u002Fstrong> https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth\u003C\u002Fp>\n\u003Ch3>Enable PHP HTTP Authorization Header\u003C\u002Fh3>\n\u003Cp>HTTP Authorization is a mechanism that allows clients to provide credentials to servers, thereby gaining access to protected resources. This is typically achieved by sending a special header, the Authorization header, in the HTTP request.\u003C\u002Fp>\n\u003Ch4>Shared Hosts\u003C\u002Fh4>\n\u003Cp>Most shared hosts have disabled the \u003Cstrong>HTTP Authorization Header\u003C\u002Fstrong> by default.\u003C\u002Fp>\n\u003Cp>To enable this option you’ll need to edit your \u003Cstrong>.htaccess\u003C\u002Fstrong> file by adding the following:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>RewriteEngine on\nRewriteCond %{HTTP:Authorization} ^(.*)\nRewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WPEngine\u003C\u002Fh4>\n\u003Cp>To enable this option you’ll need to edit your .htaccess file adding the follow:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Cp>Simple JWT Auth plugin needs a \u003Cstrong>Signing Key\u003C\u002Fstrong> to encrypt and decrypt the \u003Cstrong>secret key\u003C\u002Fstrong>, \u003Cstrong>private key\u003C\u002Fstrong>, and \u003Cstrong>public key\u003C\u002Fstrong>. This signing key must be exact 32 charecter long and never be revealed.\u003C\u002Fp>\n\u003Cp>To add the \u003Cstrong>signing key\u003C\u002Fstrong> edit your \u003Ccode>wp-config.php\u003C\u002Fcode> file and add a new constant called \u003Cstrong>SIMPLE_JWT_AUTH_ENCRYPT_KEY\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'SIMPLE_JWT_AUTH_ENCRYPT_KEY', 'your-32-char-signing-key' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Generate a 32 charecter key from here: \u003Ca href=\"https:\u002F\u002Fstring-gen.netlify.app\" rel=\"nofollow ugc\">https:\u002F\u002Fstring-gen.netlify.app\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Here is the sample response if the encryption key is not configured in wp-config.php file.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_bad_encryption_key\",\n    \"message\": \"Encryption key is not configured properly.\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST Endpoints\u003C\u002Fh3>\n\u003Cp>When the plugin is activated, a new namespace is added.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fauth\u002Fv1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, two new endpoints are added to this namespace.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>*\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken          | POST\n*\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken\u002Fvalidate | POST\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Requesting\u002FGenerating Token\u003C\u002Fh3>\n\u003Cp>To generate a new token, submit a POST request to this endpoint. With \u003Ccode>username\u003C\u002Fcode> and \u003Ccode>password\u003C\u002Fcode> as the parameters.\u003C\u002Fp>\n\u003Cp>It will validates the user credentials, and returns success response including a token if the authentication is correct or returns an error response if the authentication is failed.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken' \\\n--header 'Content-Type: application\u002Fjson' \\\n--data-raw '{\n    \"username\": \"wordpress_username\",\n    \"password\": \"wordpress_password\"\n}'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of success response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_auth_credential\",\n    \"message\": \"Token created successfully\",\n    \"data\": {\n        \"status\": 200,\n        \"id\": \"2\",\n        \"email\": \"sayandey@outlook.com\",\n        \"nicename\": \"sayan_dey\",\n        \"display_name\": \"Sayan Dey\",\n        \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciO.........\"\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of error response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_username\",\n    \"message\": \"Error: The username admin_user is not registered on this site. If you are unsure of your username, try your email address instead.\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Once you get the token, you can store it somewhere in your application:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>using \u003Cstrong>Cookie\u003C\u002Fstrong> \u003C\u002Fli>\n\u003Cli>or using \u003Cstrong>localstorage\u003C\u002Fstrong> \u003C\u002Fli>\n\u003Cli>or using a wrapper like \u003Ca href=\"https:\u002F\u002Flocalforage.github.io\u002FlocalForage\u002F\" rel=\"nofollow ugc\">localForage\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fpouchdb.com\u002F\" rel=\"nofollow ugc\">PouchDB\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>or using local database like SQLite\u003C\u002Fli>\n\u003Cli>or your choice based on app you develop\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Then you should pass this token as \u003Cem>Bearer Authentication\u003C\u002Fem> header to every API call.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Authorization: Bearer your-generated-token\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Here is an example to create WordPress post using JWT token authentication.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts' \\\n--header 'Content-Type: application\u002Fjson' \\\n--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO.........' \\\n--data '{\n    \"title\": \"Dummy post through API\",\n    \"content\": \"Lorem Ipsum is simply dummy text of the printing and typesetting industry.\",\n    \"status\": \"publish\",\n    \"tags\": [\n        4,\n        5,\n        6\n    ]\n}'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Plugin’s middleware intercepts every request to the server, checking for the presence of the \u003Cstrong>Authorization\u003C\u002Fstrong> header. If the header is found, it attempts to decode the JWT token contained within.\u003C\u002Fp>\n\u003Cp>Upon successful decoding, the middleware extracts the user information stored in the token and authenticates the user accordingly, ensuring that only authorized requests are processed.\u003C\u002Fp>\n\u003Ch3>Validating Token\u003C\u002Fh3>\n\u003Cp>This is a helper endpoint to validate a token. You only will need to make a \u003Cstrong>POST\u003C\u002Fstrong> request sending the Bearer Authorization header.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl --location --request POST 'https:\u002F\u002Fexample.com\u002Fwp-json\u002Fauth\u002Fv1\u002Ftoken\u002Fvalidate' \\\n--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO.........'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Sample of success response\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_valid_token\",\n    \"message\": \"Token is valid\",\n    \"data\": {\n        \"status\": 200\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST Errors\u003C\u002Fh3>\n\u003Cp>If the token is invalid an error will be returned, here are some samples of errors.\u003C\u002Fp>\n\u003Ch4>Invalid Username\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_username\",\n    \"message\": \"Error: The username admin is not registered on this site. If you are unsure of your username, try your email address instead.\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Password\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_incorrect_password\",\n    \"message\": \"Error: The password you entered for the username tiyasha_das is incorrect. Lost your password?\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Signature\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_token\",\n    \"message\": \"Signature verification failed\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_token\",\n    \"message\": \"Syntax error, malformed JSON\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Expired Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_token\",\n    \"message\": \"Expired token\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>No Authorization\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_no_auth_header\",\n    \"message\": \"Authorization header not found\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Authorization\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_bad_auth_header\",\n    \"message\": \"Authorization header malformed\",\n    \"data\": {\n        \"status\": 400\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Wrong Algorithm Token\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_token\",\n    \"message\": \"Incorrect key for this algorithm\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Unsupported Algorithm\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_unsupported_algorithm\",\n    \"message\": \"Unsupported algorithm see https:\u002F\u002Ftinyurl.com\u002Fuf4ns6fm\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Configuration\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_bad_config\",\n    \"message\": \"JWT is not configured properly, please contact the admin\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Bad Encryption Key\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_bad_encryption_key\",\n    \"message\": \"Encryption key is not configured properly.\",\n    \"data\": {\n        \"status\": 403\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Invalid Encryption Key Length\u003C\u002Fh4>\n\u003Cpre>\u003Ccode>{\n    \"code\": \"simplejwt_invalid_enckey_length\",\n    \"message\": \"Encryption key must be exactly 32 characters long\",\n    \"data\": {\n        \"status\": 400\n    }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Available Hooks\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Simple JWT Auth\u003C\u002Fstrong> is a developer-friendly plugin. It has various filter hooks available to override the default settings.\u003C\u002Fp>\n\u003Ch4>simplejwt_cors_allow_headers\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_cors_allow_headers\u003C\u002Fcode> allows you to modify the available headers when the Cross-Origin Resource Sharing (CORS) support is enabled.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>'Access-Control-Allow-Headers, Content-Type, Authorization'\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the allowed CORS headers.\n *\n * @param   string $headers The allowed headers.\n * @return  string The allowed headers.\n *\u002F\nadd_filter(\"simplejwt_cors_allow_headers\", function ($headers) {\n    \u002F\u002F Modify the headers here.\n    return $headers;\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_auth_iss\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_auth_iss\u003C\u002Fcode> allows you to change the \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7519#section-4.1.1\" rel=\"nofollow ugc\">\u003Cstrong>iss\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>get_bloginfo( 'url' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token issuer.\n *\n * @param   string $iss The token issuer.\n * @return  string The token issuer.\n *\u002F\nadd_filter(\"simplejwt_auth_iss\", function ($iss) {\n    \u002F\u002F Modify the \"iss\" here.\n    return $iss;\n});\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_not_before\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_not_before\u003C\u002Fcode> allows you to change the \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.5\" rel=\"nofollow ugc\">\u003Cstrong>nbf\u003C\u002Fstrong>\u003C\u002Fa> value before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time();\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's nbf value.\n *\n * @param   int $not_before The default \"nbf\" value in timestamp.\n * @param   int $issued_at The \"iat\" value in timestamp.\n * @return  int The \"nbf\" value.\n *\u002F\nadd_filter(\n    \"simplejwt_not_before\",\n    function ($not_before, $issued_at) {\n        \u002F\u002F Modify the \"not_before\" here.\n        return $not_before;\n    },\n    10,\n    2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_auth_expire\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_auth_expire\u003C\u002Fcode> allows you to change the value \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519#section-4.1.4\" rel=\"nofollow ugc\">\u003Cstrong>exp\u003C\u002Fstrong>\u003C\u002Fa> before the payload is encoded to be a token.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>time() + ( DAY_IN_SECONDS * 7 )\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Change the token's expire value.\n *\n * @param   int $expire The default \"exp\" value in timestamp.\n * @param   int $issued_at The \"iat\" value in timestamp.\n * @return  int The \"nbf\" value.\n *\u002F\nadd_filter(\n    \"simplejwt_auth_expire\",\n    function ($expire, $issued_at) {\n        \u002F\u002F Modify the \"expire\" here.\n        return $expire;\n    },\n    10,\n    2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_payload_before_sign\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_payload_before_sign\u003C\u002Fcode> allows you to modify all the payload data before being encoded and signed.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$payload = [\n    \"iss\" => $this->simplejwt_get_iss(),\n    \"iat\" => $issued_at,\n    \"nbf\" => $not_before,\n    \"exp\" => $expire,\n    \"data\" => [\n        \"user\" => [\n            \"id\" => $user->data->ID,\n        ],\n    ],\n];\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the payload data before being encoded & signed.\n *\n * @param   array $payload The default payload\n * @param   WP_User $user The authenticated user.\n * @return  array The payloads data.\n *\u002F\nadd_filter(\n    \"simplejwt_payload_before_sign\",\n    function ($payload, $user) {\n        \u002F\u002F Modify the payload here.\n        return $payload;\n    },\n    10,\n    2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>simplejwt_token_before_dispatch\u003C\u002Fh4>\n\u003Cp>The \u003Ccode>simplejwt_token_before_dispatch\u003C\u002Fcode> allows you to modify the token response before to dispatch it to the client.\u003C\u002Fp>\n\u003Cp>Default value:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$data = new WP_REST_Response(\n    [\n        \"code\" => \"simplejwt_auth_credential\",\n        \"message\" => JWTNotice::get_notice(\"auth_credential\"),\n        \"data\" => [\n            \"status\" => 200,\n            \"id\" => $user->data->ID,\n            \"email\" => $user->data->user_email,\n            \"nicename\" => $user->data->user_nicename,\n            \"display_name\" => $user->data->display_name,\n            \"token\" => $token,\n        ],\n    ],\n    200,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Usage example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F**\n * Modify the JWT response before dispatch.\n *\n * @param   WP_REST_Response $data The token response data.\n * @param   WP_User $user The user object for whom the token is being generated.\n * @return  WP_REST_Response Modified token response data.\n *\u002F\nadd_filter(\n    \"simplejwt_token_before_dispatch\",\n    function ($data, $user) {\n        \u002F\u002F Modify the response data.\n        if ($user instanceof WP_User) {\n        }\n        return $data;\n    },\n    10,\n    2,\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002F\" rel=\"nofollow ugc\">WordPress REST API\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffirebase\u002Fphp-jwt\" rel=\"nofollow ugc\">php-jwt by Firebase\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Extends the WP REST API using JSON Web Tokens for robust authentication, providing a secure and reliable way to access and manage WordPress data.",783,"2024-11-17T13:30:00.000Z","6.7.5","5.2",[74,95,53,131,76],"jwt-auth","https:\u002F\u002Fgithub.com\u002Fsayandey18\u002Fsimple-jwt-auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-auth.1.0.2.zip",{"attackSurface":135,"codeSignals":161,"taintFlows":169,"riskAssessment":170,"analyzedAt":173},{"hooks":136,"ajaxHandlers":157,"restRoutes":158,"shortcodes":159,"cronEvents":160,"entryPointCount":11,"unprotectedCount":11},[137,143,147,150,153],{"type":138,"name":139,"callback":140,"file":141,"line":142},"action","admin_menu","register_menu","site-grid-connector.php",25,{"type":138,"name":144,"callback":145,"file":141,"line":146},"show_user_profile","profile_token_field",26,{"type":138,"name":148,"callback":145,"file":141,"line":149},"edit_user_profile",27,{"type":138,"name":151,"callback":152,"file":141,"line":33},"admin_post_wp_sg_regenerate_token","handle_regenerate_token",{"type":138,"name":154,"callback":155,"file":141,"line":156},"rest_api_init","register_rest_routes",33,[],[],[],[],{"dangerousFunctions":162,"sqlUsage":163,"outputEscaping":165,"fileOperations":11,"externalRequests":11,"nonceChecks":78,"capabilityChecks":69,"bundledLibraries":168},[],{"prepared":78,"raw":11,"locations":164},[],{"escaped":166,"rawEcho":11,"locations":167},91,[],[],[],{"summary":171,"deductions":172},"The 'site-grid-connector' plugin version 7.0 exhibits an excellent security posture based on the provided static analysis. The complete absence of identified attack vectors such as unprotected AJAX handlers, REST API routes, shortcodes, or cron events, combined with the robust implementation of security best practices like 100% proper output escaping, prepared SQL statements, and the presence of nonce and capability checks, suggests a diligently developed and secure plugin. The lack of any recorded vulnerabilities, past or present, further reinforces this assessment, indicating a history of responsible security management.  While the current analysis shows no specific flaws, a perpetually low attack surface and a clean vulnerability history should be seen as a strong positive, though vigilance for future updates remains paramount.",[],"2026-04-16T14:07:57.583Z",{"wat":175,"direct":180},{"assetPaths":176,"generatorPatterns":177,"scriptPaths":178,"versionParams":179},[],[],[],[],{"cssClasses":181,"htmlComments":182,"htmlAttributes":183,"restEndpoints":190,"jsGlobals":194,"shortcodeOutput":195},[],[],[184,185,186,187,188,189],"readonly","value","style","width:100%; max-width:700px;","width:100%;","margin-top:8px;",[191,192,193],"\u002Fwp-json\u002Fwp-sg\u002Fv1\u002Flogin","\u002Fwp-json\u002Fwp-sg\u002Fv1\u002Fstatus","\u002Fwp-json\u002Fwp-sg\u002Fv1\u002Ffull-sync",[],[],{"error":197,"url":198,"statusCode":199,"statusMessage":200,"message":200},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fsite-grid-connector\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":78,"versions":202},[203],{"version":6,"download_url":23,"svn_tag_url":204,"released_at":25,"has_diff":205,"diff_files_changed":206,"diff_lines":25,"trac_diff_url":25,"vulnerabilities":207,"is_current":197},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsite-grid-connector\u002Ftags\u002F7.0\u002F",false,[],[]]