Authentication
WordPress REST API Authentication That Actually Works
Features
Not Just Authentication. Complete Token Control.
Token Dashboard
See every active token, who owns it, when it was created, last used, and revoke access instantly when needed.
Token management
Manage authentication tokens for API access and service integrations.
Usage Analytics
Track authentication patterns, API usage, failed attempts, and geographic data—complete visibility into how your API is being used.
Custom Claims
Add custom claims to JWT tokens using WordPress filters
add_filter('jwt_auth_token_before_sign', function($token, $user) {
$token['customer_type'] = get_user_meta($user->ID, 'customer_type', true);
$token['loyalty_points'] = get_user_meta($user->ID, 'loyalty_points', true);
$token['preferred_currency'] = get_user_meta($user->ID, 'currency', true);
$token['customer_id'] = get_user_meta($user->ID, 'customer_id', true);
$token['customer_email'] = get_user_meta($user->ID, 'customer_email', true);
return $token;
}, 10, 2);Instant Revocation
One-click token revocation, automatic revocation on password changes, and emergency access controls when security incidents occur.
Security Audit Trail
Complete compliance logging with full context
Automatic Security
Configurable token expiration, automatic refresh tokens, rate limiting controls, and security policies that protect without intervention.
Admin Configuration Interface
All settings are managed through the admin interface.
Complete Features Overview
Explore all the features that make JWT Authentication Pro the most comprehensive authentication solution for WordPress. Each feature is designed with security, performance, and developer experience in mind.
Authentication & Token Management
Professional JWT Token Creation
Industry-standard JWT tokens with configurable expiration (minutes to years)
Multiple Signing Algorithms
Support for HS256, RS256, and all Firebase JWT library algorithms
Token Payload Customization
Add custom user data and claims to JWT token payload
Multi-Layer Token Validation
Signature, expiration, issuer, and revocation checks
Bearer Token Support
Standard Authorization header parsing
Secure Token Hashing
All tokens hashed with WordPress security functions before storage
Secure Refresh Tokens
Cryptographically secure refresh token generation
Independent Expiration Control
Separate expiration settings for JWT and refresh tokens (default 30 days)
Token Rotation
Automatic token rotation with family relationship maintenance
| Authentication & Token Management | |
Professional JWT Token Creation | Industry-standard JWT tokens with configurable expiration (minutes to years) |
Multiple Signing Algorithms | Support for HS256, RS256, and all Firebase JWT library algorithms |
Token Payload Customization | Add custom user data and claims to JWT token payload |
Multi-Layer Token Validation | Signature, expiration, issuer, and revocation checks |
Bearer Token Support | Standard Authorization header parsing |
Secure Token Hashing | All tokens hashed with WordPress security functions before storage |
Secure Refresh Tokens | Cryptographically secure refresh token generation |
Independent Expiration Control | Separate expiration settings for JWT and refresh tokens (default 30 days) |
Token Rotation | Automatic token rotation with family relationship maintenance |
What everyone is saying
60,000+ Sites Trust Our Authentication
Implementation
Add JWT Authentication in Minutes. Manage It Forever.
Generate Token
Authenticate users and issue JWT tokens with a single API call. Receive both user details and tokens in one seamless response.
Validate Token
Ensure robust security with built-in JWT validation. Verify token signatures and claims to confirm authenticity and expiration status.
Refresh Token
Keep users seamlessly authenticated while maintaining strong security. Automatically manage token expiration and renewal.
Education
What is JWT and why it's vital for your WordPress REST API
What is JWT?
JWT (JSON Web Token) is a compact and secure method for transmitting authentication and authorization data between two parties. Each token consists of three parts: a header, which defines the type of token and algorithm used; a payload, which contains the claims or user information; and a signature, which verifies the token's authenticity. Once a user is authenticated, a JWT is issued and can be used to securely access protected API endpoints without needing to authenticate repeatedly.
In the context of the WordPress REST API, JWT provides an efficient solution for managing secure interactions between your WordPress site and external applications or services. Unlike traditional session-based authentication methods, JWT is stateless, eliminating the need for server-side session storage. This approach reduces server load, simplifies scaling, and enables seamless integration with modern web and mobile applications. By leveraging JWT, developers can enhance the security and performance of their WordPress REST API, ensuring that only authorized users can access critical data and functionality.
Key Benefits
- Protection
- Enhanced Security
- Flexibility
- Scalability
- Efficiency
- Improved Performance
- Compatibility
- Seamless Integration
Comparison
Free Plugin vs Pro: Basic Auth vs Complete Management
Basic JWT Authentication
Add login via JSON Web Tokens.
Token Generation
Issue access tokens on successful auth.
Token Validation
Verify token integrity on each request.
Token Refresh Mechanism
Extend sessions securely with refresh tokens.
Instant Revocation
Revoke compromised sessions immediately.
See Every Token (Dashboard)
Real-time visibility into active tokens & devices.
Analytics & Monitoring
Track usage, anomalies, and trends.
Geo-IP Identification
Spot suspicious logins by location.
Rate Limiting
Stop abuse & brute force with limits.
Auto-Revoke on Changes
Tokens auto-revoke on password/email/role changes.
WooCommerce Support
Secure WooCommerce API endpoints instantly.
Customer Token Management
Manage customer API access separately.
Premium Support
Priority help from the dev team.
Detailed Documentation
Guides, examples, and best practices.
50+ Developer Hooks
Extend & integrate with your stack.
| Feature | WP.org version | JWT Auth Pro |
|---|---|---|
| Core Authentication | ||
Basic JWT Authentication Add login via JSON Web Tokens. | Included in WP.org version | Included in JWT Auth Pro |
Token Generation Issue access tokens on successful auth. | Included in WP.org version | Included in JWT Auth Pro |
Token Validation Verify token integrity on each request. | Included in WP.org version | Included in JWT Auth Pro |
| Advanced Control | ||
Token Refresh Mechanism Extend sessions securely with refresh tokens. | Not included in WP.org version | Included in JWT Auth Pro |
Instant Revocation Revoke compromised sessions immediately. | Not included in WP.org version | Included in JWT Auth Pro |
See Every Token (Dashboard) Real-time visibility into active tokens & devices. | Not included in WP.org version | Included in JWT Auth Pro |
| Visibility & Security | ||
Analytics & Monitoring Track usage, anomalies, and trends. | Not included in WP.org version | Included in JWT Auth Pro |
Geo-IP Identification Spot suspicious logins by location. | Not included in WP.org version | Included in JWT Auth Pro |
Rate Limiting Stop abuse & brute force with limits. | Not included in WP.org version | Included in JWT Auth Pro |
Auto-Revoke on Changes Tokens auto-revoke on password/email/role changes. | Not included in WP.org version | Included in JWT Auth Pro |
| E-commerce Integration | ||
WooCommerce Support Secure WooCommerce API endpoints instantly. | Not included in WP.org version | Included in JWT Auth Pro |
Customer Token Management Manage customer API access separately. | Not included in WP.org version | Included in JWT Auth Pro |
| Support & Developer Tools | ||
Premium Support Priority help from the dev team. | Not included in WP.org version | Included in JWT Auth Pro |
Detailed Documentation Guides, examples, and best practices. | Not included in WP.org version | Included in JWT Auth Pro |
50+ Developer Hooks Extend & integrate with your stack. | Not included in WP.org version | Included in JWT Auth Pro |
Pricing
Simple, Site-Based Pricing
Professional Single Site
Ideal for individual WordPress sites requiring robust, professional-grade API authentication solutions.
USD
per year
Features:
- 1 site
- Token Refresh Mechanism
- Manual and automatic token revocation
- Premium Support
- Token Management Dashboard
Professional Team (5 Sites)
Secure and manage multiple WordPress sites with ease—perfect for teams and small businesses.
USD
per year
Features:
- Up to 5 sites
- Token Refresh Mechanism
- Manual and automatic token revocation
- Premium Support
- Token Management Dashboard
Professional Agency (20 Sites)
Comprehensive API security tailored for agencies and developers managing multiple client sites.
USD
per year
Features:
- Up to 20 sites
- Token Refresh Mechanism
- Manual and automatic token revocation
- Premium Support
- Token Management Dashboard
- White-labeling
Note: JWT Authentication Pro requires PHP 8.1 or higher
Common Questions
Get the answers you need
- Does this plugin work out of the box?
When you install JWT Authentication Pro, a professional JWT authentication layer is added on top of the WordPress REST API. This enables you to create, validate, and revoke JWT tokens for your WordPress users, allowing them to authenticate and make API requests from external systems, mobile apps, or web applications. However, you will need to implement the authentication logic in those external systems or applications. This plugin provides the JWT authentication infrastructure and advanced token management - the client-side implementation is up to you.
- Is JWT Authentication Pro a Single Sign-On (SSO) system?
No, JWT Authentication Pro is not an SSO solution. It does not integrate with external identity providers like Google, Microsoft, or SAML systems. It is specifically designed to add token-based authentication to the WordPress REST API for external applications, not for cross-platform single sign-on.
- Does this plugin replace WordPress user management or login system?
No, JWT Authentication Pro does not replace WordPress's built-in user authentication system. It does not handle user registration, password resets, or traditional WordPress login pages. It adds token-based authentication specifically for API access while keeping all existing WordPress functionality intact.
- Can I use this for regular WordPress website sessions?
No, JWT Authentication Pro is not designed for managing regular WordPress website sessions or cookie-based authentication. It is specifically built for stateless, token-based API authentication used by external applications like mobile apps, SPAs, or headless WordPress setups.
- Is this a general website security plugin?
No, JWT Authentication Pro is not a general security plugin like Wordfence or Sucuri. It does not protect against malware, secure login pages, or provide general website security features. Its security features are specifically designed for protecting API endpoints and managing token-based authentication.
- What are the system requirements for JWT Authentication Pro?
JWT Authentication Pro requires PHP 8.1 or higher and WordPress 5.0 or higher with REST API enabled. You'll need to configure a secret key in your wp-config.php file and ensure your server has HTTP Authorization Header enabled.
- How does token refresh mechanism work?
When you authenticate, you receive both an access token and a refresh token. The access token is used for API requests and expires after a configurable period (default 7 days). When it expires, you can use the refresh token (valid for 30 days by default) to obtain a new access token without re-authenticating with username and password.
- Can I track and analyze JWT usage?
Yes, JWT Authentication Pro includes a detailed analytics dashboard that tracks authentication attempts, token usage, active users, etc. You can configure retention periods as well.
- What happens to tokens when a user changes their password?
By default, all tokens are automatically revoked when a user changes their password, email, or role. This behavior can be customized using filters. The Pro version gives you granular control over token lifecycle management.
- What signing algorithms are supported?
The plugin supports multiple signing algorithms including HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, and PS512. You can choose and configure your preferred algorithm through settings or using the jwt_auth_algorithm filter.
- How can I customize token claims and validation rules?
You can use filters like jwt_auth_token_before_sign and jwt_auth_token_before_dispatch to modify token claims and data. The Pro version also provides an interface for configuring custom validation rules, token lifetime, and security policies.
- How do I handle CORS in my application?
CORS support can be enabled in the plugin settings. The plugin provides filters to customize CORS headers.
- Do you offer refunds?
Yes, we offer a 14-day compatibility guarantee. Refunds are provided only for unresolvable technical compatibility issues that our support team cannot solve. You must work with our support team first before requesting a refund. Payment processor fees (3-5%) are deducted from approved refunds.
- Do you offer a free trial?
No, we do not offer a free trial. However, we provide a 14-day compatibility guarantee for technical incompatibility issues that our support team cannot resolve.
- Do you offer lifetime access?
Yes, we offer lifetime access to JWT Authentication Pro. You can purchase the plugin once and use it as long as you want.
- Does an installation on a local environment count as a site for my license?
No, a site on a local environment does not count as a site for your license. You can use JWT Authentication Pro on your local environment without any restrictions. However, if you deploy your site to a production server, you will need to activate the license key.
- Who is behind JWT Authentication Pro?
JWT Authentication Pro is developed by Enrique Chavez (@tmeister), a seasoned full-stack developer with a strong focus on WordPress and open-source technologies. Enrique has contributed to the WordPress ecosystem for years, creating plugins, and tools that help developers build more efficiently. His commitment to open-source development ensures that his projects, including JWT Authentication Pro, are designed to be simple, flexible, and developer-friendly.