JWT AuthbyUseful Team

Version: 1.4.1

Create JSON Web Token Authentication in WordPress.

Overall Rating

WordPress Rating

Are you an author of this plugin?

Want to skyrocket the popularity of your plugin and reach millions of eager users? Look no further than WP Hive. Gain credibility through in-depth reviews, drive conversions with targeted email marketing, and boost visibility with strategic social promotion and exposure

Supercharge My Plugin

The plugin has some issues

Sorry, pal! The plugin couldn’t pass all our tests. No hard feelings, right?

Tests done by WP Hive test script Results

Minimal impact on memory usage The memory usage of this plugin is less than the average memory usage of other plugins on WordPress.org + 200KB. Check FAQ for more.
Minimal impact on pagespeed The impact of this plugin on PageSpeed is less than the average impact of other plugins on WordPress.org + 1000 milliseconds
No PHP errors, warning, notices WP Hive automated test found no PHP error while activating this plugin on our server
No Javascript issues WP Hive automated test found no JavaScrip error while activating this plugin on our server
Latest PHP 7.2.16 compatible WP Hive automated test found the plugin fully compatible with the latest version of PHP
Latest WordPress 5.4.2 compatible WP Hive automated test found the plugin fully compatible with the latest version of WordPress
Optimized database footprint The plugin creates less than 50 database tables
No activation errors WP Hive automated test found no activation error while activating this plugin on our server
No resource errors WP Hive automated test found no resource error/s while trying this plugin on our server
Frequently updated The plugin was not updated at least once in the last 90 days

All the plugins are tested on the same server with exactly same configuration via test script that automatically activates and logs the data WP Hive shows.

All the scripts run on a VPS with 8 CPU cores and 8 GB of RAM.
The test sites are hosted on Google Cloud VM instances, one site/plugin per instance. The machine type is n1-standard-1. The server is a 8 core CPU with 8GB of RAM.
The test sites are hosted on Apache/2 server and they are tested on PHP 7.2.16 & WordPress 5.4.2.
The database server is MySQL 8.0.15 and the default PHP memory limit is 256MB.

72K

Total Downloads

6K

Active Installation

5 years

On WordPress

0.0%

Growth Rate

4

Support Thread

22

Ratings on WordPress

00

Downloads This Week

00

Ago Last Updated

Download Plugin Plugin Website

Try the plugin inside WordPress

Disclosure: When you buy through affiliate links on this site, WP Hive may earn a commission which
we use to keep the site running. Learn more →

About JWT Auth

Description

WordPress JSON Web Token Authentication allows you to do REST API authentication via token. It is a simple, non-complex, and easy to use. This plugin probably is the most convenient way to do JWT Authentication in WordPress. Enable PHP HTTP Authorization Header Shared Hosts Most shared hosts have disabled the HTTP Authorization Header by default. To enable this option you’ll....

WordPress JSON Web Token Authentication allows you to do REST API authentication via token. It is a simple, non-complex, and easy to use.

This plugin probably is the most convenient way to do JWT Authentication in WordPress.

Enable PHP HTTP Authorization Header

Shared Hosts

Most shared hosts have disabled the HTTP Authorization Header by default.

To enable this option you’ll need to edit your .htaccess file by adding the following:

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

WPEngine

To enable this option you’ll need to edit your .htaccess file by adding the following (see this issue):

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

Configuration

Configurate the Secret Key

The JWT needs a secret key to sign the token. This secret key must be unique and never be revealed.

To add the secret key, edit your wp-config.php file and add a new constant called JWT_AUTH_SECRET_KEY.

define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');

You can use a string from here

Configurate CORs Support

This plugin has the option to activate CORs support.

To enable the CORs Support edit your wp-config.php file and add a new constant called JWT_AUTH_CORS_ENABLE

define('JWT_AUTH_CORS_ENABLE', true);

Namespace and Endpoints

When the plugin is activated, a new namespace is added.

/jwt-auth/v1

Also, two new POST endpoints are added to this namespace.

/wp-json/jwt-auth/v1/token
/wp-json/jwt-auth/v1/token/validate

Requesting/ Generating Token

/wp-json/jwt-auth/v1/token

To generate token, submit a POST request to this endpoint. With username and password as the parameters.

It will validates the user credentials, and returns success response including a token if the authentication is correct or returns an error response if the authentication is failed.

Sample of success response when trying to generate token:

{
    "success": true,
    "statusCode": 200,
    "code": "jwt_auth_valid_credential",
    "message": "Credential is valid",
    "data": {
        "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvcG9pbnRzLmNvdXZlZS5jby5pZCIsImlhdCI6MTU4ODQ5OTE0OSwibmJmIjoxNTg4NDk5MTQ5LCJleHAiOjE1ODkxMDM5NDksImRhdGEiOnsidXNlciI6eyJpZCI6MX19fQ.w3pf5PslhviHohmiGF-JlPZV00XWE9c2MfvBK7Su9Fw",
        "id": 1,
        "email": "[email protected]",
        "nicename": "contactjavas",
        "firstName": "Bagus Javas",
        "lastName": "Heruyanto",
        "displayName": "contactjavas"
    }
}

Sample of error response when trying to generate token:

{
    "success": false,
    "statusCode": 403,
    "code": "invalid_username",
    "message": "Unknown username. Check again or try your email address.",
    "data": []
}

Once you get the token, you must store it somewhere in your application. It can be:
– using cookie
– or using localstorage
– or using a wrapper like localForage or PouchDB
– or using local database like SQLite or Hive
– or your choice based on app you develop 😉

Then you should pass this token as Bearer Authentication header to every API call. The header format is:

Authorization: Bearer your-generated-token

and here’s an example:

"Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvcG9pbnRzLmNvdXZlZS5jby5pZCIsImlhdCI6MTU4ODQ5OTE0OSwibmJmIjoxNTg4NDk5MTQ5LCJleHAiOjE1ODkxMDM5NDksImRhdGEiOnsidXNlciI6eyJpZCI6MX19fQ.w3pf5PslhviHohmiGF-JlPZV00XWE9c2MfvBK7Su9Fw";

The jwt-auth will intercept every call to the server and will look for the authorization header, if the authorization header is present, it will try to decode the token and will set the user according with the data stored in it.

If the token is valid, the API call flow will continue as always.

Whitelisting Endpoints

Every call to the server (except the token creation) will be intercepted. However, you might need to whitelist some endpoints. You can use jwt_auth_whitelist filter to do it. E.g:

add_filter( 'jwt_auth_whitelist', function ( $endpoints ) {
    return array(
        '/wp-json/custom/v1/webhook/*',
        '/wp-json/custom/v1/otp/*',
        '/wp-json/custom/v1/account/check',
        '/wp-json/custom/v1/register',
    );
} );

Validating Token

You likely don’t need to validate the token your self. The plugin handle it for you like explained above.

But if you want to test or validate the token manually, then send a POST request to this endpoint (don’t forget to set your Bearer Authorization header):

/wp-json/jwt-auth/v1/token/validate

Valid Token Response:

{
    "success": true,
    "statusCode": 200,
    "code": "jwt_auth_valid_token",
    "message": "Token is valid",
    "data": []
}

Errors

If the token is invalid an error will be returned. Here are some samples of errors:

No Secret Key

{
    "success": false,
    "statusCode": 403,
    "code": "jwt_auth_bad_config",
    "message": "JWT is not configurated properly.",
    "data": []
}

No HTTP_AUTHORIZATION Header

{
    "success": false,
    "statusCode": 403,
    "code": "jwt_auth_no_auth_header",
    "message": "Authorization header not found.",
    "data": []
}

Bad Iss

{
    "success": false,
    "statusCode": 403,
    "code": "jwt_auth_bad_iss",
    "message": "The iss do not match with this server.",
    "data": []
}

Invalid Signature

{
    "success": false,
    "statusCode": 403,
    "code": "jwt_auth_invalid_token",
    "message": "Signature verification failed",
    "data": []
}

Bad Request

{
    "success": false,
    "statusCode": 403,
    "code": "jwt_auth_bad_request",
    "message": "User ID not found in the token.",
    "data": []
}

User Not Found

{
    "success": false,
    "statusCode": 403,
    "code": "jwt_auth_user_not_found",
    "message": "User doesn't exist",
    "data": []
}

Expired Token

{
    "success": false,
    "statusCode": 403,
    "code": "jwt_auth_invalid_token",
    "message": "Expired token",
    "data": []
}

Available Hooks

JWT Auth is developer friendly and has some filters available to override the default settings.

jwt_auth_cors_allow_headers

The jwt_auth_cors_allow_headers allows you to modify the available headers when the CORs support is enabled.

Default Value:

'X-Requested-With, Content-Type, Accept, Origin, Authorization'

jwt_auth_iss

The jwt_auth_iss allows you to change the value before the payload is encoded to be a token.

Default Value:

get_bloginfo( 'url' )

jwt_auth_not_before

The jwt_auth_not_before allows you to change the value before the payload is encoded to be a token.

Default Value:

// Creation time.
time()

jwt_auth_expire

The jwt_auth_expire allows you to change the value before the payload is encoded to be a token.

Default Value:

time() + (DAY_IN_SECONDS * 7)

jwt_auth_alg

The jwt_auth_alg allows you to change the supported signing algorithm for your application.

Default Value:

'HS256'

jwt_auth_payload

The jwt_auth_payload allows you to modify all the payload / token data before being encoded and signed.

Default value:

 get_bloginfo('url'),
    'iat' => $issued_at,
    'nbf' => $not_before,
    'exp' => $expire,
    'data' => array(
        'user' => array(
            'id' => $user->ID,
        )
    )
);

jwt_auth_valid_credential_response

The jwt_auth_valid_credential_response allows you to modify the valid credential response when generating a token.

Default value:

 true,
    'statusCode' => 200,
    'code'       => 'jwt_auth_valid_credential',
    'message'    => __( 'Credential is valid', 'jwt-auth' ),
    'data'       => array(
        'token'       => $token,
        'id'          => $user->ID,
        'email'       => $user->user_email,
        'nicename'    => $user->user_nicename,
        'firstName'   => $user->first_name,
        'lastName'    => $user->last_name,
        'displayName' => $user->display_name,
    ),
);

jwt_auth_valid_token_response

The jwt_auth_valid_token_response allows you to modify the valid token response when validating a token.

Default value:

 true,
        'statusCode' => 200,
        'code'       => 'jwt_auth_valid_token',
        'message'    => __( 'Token is valid', 'jwt-auth' ),
        'data'       => array(),
    )
);

Usage example:

add_filter('jwt_auth_valid_token_response', function ($response, $user, $token, $payload) {
    // Modify the response here.
    return $response;
}, 10, 4);

Credits

PHP-JWT from firebase
JWT Authentication for WP REST API

Explore all plugins from Useful Team

Performance

Memory Usage

Average memory usage is2.75 KB
This is less than99%plugins

Page Speed

Average page loading time is increased by 0.07 s
This is faster than99%plugins

Speed Test Benchmark Learn more how we collect the data

Before plugin activation
After plugin activation

Benchmark

Change

Average Change

+ 0.07s

/(front page)

- 0.05s

/wp-admin/edit-comments.php

- 0.09s

/wp-admin/edit-tags.php?taxonomy=category

- 0.17s

/wp-admin/edit.php

- 0s

/wp-admin/index.php

- 0.04s

/wp-admin/media-new.php

- 0.04s

/wp-admin/options-discussion.php

- 0.1s

/wp-admin/options-writing.php

- 0.03s

/wp-admin/post-new.php

+ 0.33s

/wp-admin/post-new.php?post_type=page

+ 1s

/wp-admin/upload.php

- 0.07s

MoreLess

Memory Usage Benchmark Learn more how we collect the data

Before plugin activation
After plugin activation

Benchmark

Change

Average Change

+ 2.75KB

/ (front page)

- 11.98KB

/wp-admin/edit-comments.php

+ 2.34KB

/wp-admin/edit-tags.php?taxonomy=category

+ 2.48KB

/wp-admin/edit.php

+ 1.48KB

/wp-admin/index.php

+ 2.48KB

/wp-admin/media-new.php

+ 9.36KB

/wp-admin/options-discussion.php

+ 9.4KB

/wp-admin/options-writing.php

- 2.34KB

/wp-admin/post-new.php

+ 4.25KB

/wp-admin/post-new.php?post_type=page

+ 3.4KB

/wp-admin/upload.php

+ 9.34KB

MoreLess

Stats

Download Statistics

Plugin Version Usage

Database Tables

The plugin has added 0 additional options to your WordPress.

WP-Options

The plugin has added 0 additional options to your WordPress website.

Errors

Frequently Updated

The plugin has not been updated in the last 90 days.

Read more how WP Hive determines this data.

Show Off Your Plugin

PHP 7.2.16

WP 5.4.2

PHP 7.2.16 WP 5.4.2

Love using this plugin?

Why don’t you compare the plugin side by side
with another plugin

Start Comparing

Are you an author of this plugin?

Supercharge My Plugin

Like what you see?

Subscribe to get more quality reviews and articles.

Be Part of the Conversation with WordPress Enthusiasts

Using JWT Auth? Great, join the conversation now!

Let’s talk about overall quality, ease of use, stellar support, unbeatable value, and the amazing experience JWT Auth brings to you.

JWT AuthbyUseful Team

Version : 1.4.1

Are you an author of this plugin?

The plugin has some issues

72K

6K

5 years

0.0%

4

22

00

00

Deploy lightning fast ️ WordPress sites on your own server in minutes.

Get Started for Free

Subscribe to our newsletter

About JWT Auth

Description

Enable PHP HTTP Authorization Header

Shared Hosts

WPEngine

Configuration

Configurate the Secret Key

Configurate CORs Support

Namespace and Endpoints

Requesting/ Generating Token

Sample of success response when trying to generate token:

Sample of error response when trying to generate token:

Whitelisting Endpoints

Validating Token

Valid Token Response:

Errors

No Secret Key

No HTTP_AUTHORIZATION Header

Bad Iss

Invalid Signature

Bad Request

User Not Found

Expired Token

Available Hooks

jwt_auth_cors_allow_headers

jwt_auth_iss

jwt_auth_not_before

jwt_auth_expire

jwt_auth_alg

jwt_auth_payload

jwt_auth_valid_credential_response

jwt_auth_valid_token_response

Credits

Explore all plugins from Useful Team

Performance

Memory Usage

Page Speed

<img width="67" height="67" loading="lazy" src="https://wphive.com/wp-content/themes/twenty20-child-wphive-main/assets/images/pluginReport/speed-test-bm.png" alt=""> Speed Test Benchmark Learn more how we collect the data

Pages

Benchmark

Change

<img width="67" height="67" loading="lazy" src="https://wphive.com/wp-content/themes/twenty20-child-wphive-main/assets/images/pluginReport/memory-usage-bm.png" alt="Memory Usage"> Memory Usage Benchmark Learn more how we collect the data

Pages

Benchmark

Change

<img width="81" height="81" loading="lazy" src="https://wphive.com/wp-content/themes/twenty20-child-wphive-main/assets/images/pluginReport/stats-image.svg" alt="Stats"> Stats

Download Statistics

Plugin Version Usage

<img width="53" height="53" loading="lazy" src="https://wphive.com/wp-content/themes/twenty20-child-wphive-main/assets/images/pluginReport/more-icon.png" alt="Stats"> More

Database Tables

WP-Options

Errors

Frequently Updated

Show Off Your Plugin

PHP 7.2.16

WP 5.4.2

<img width="156" height="42" class="inline-block" src="https://wphive.com/wp-content/themes/twenty20-child-wphive-main/assets/images/pluginReport/hive-logo-color.png" alt="Logo">

Love using this plugin?

Are you an author of this plugin?

Like what you see?

Be Part of the Conversation with WordPress Enthusiasts

Using JWT Auth? Great, join the conversation now!

Changelog

Please Allow Us A Moment Before You Go

<img src="https://wphive.com/wp-content/themes/twenty20-child-wphive-main/assets/images/subscription-form/icon.png" width="20" alt="Icon"> Email Subscription Request

Deploy lightning fast ️
WordPress sites on your own
server in minutes.

Speed Test Benchmark Learn more how we collect the data

Memory Usage Benchmark Learn more how we collect the data

Stats

More

Please Allow Us A
Moment Before You Go

Email Subscription Request