Comparison
Free Plugin vs Pro: Basic Auth vs Complete Management
Both add JWT to WordPress. The difference is what happens after the token is issued.
Stay on free if you only need to generate and validate tokens for a small project. Upgrade to Pro if you need to inspect, refresh, revoke, audit, and rate-limit tokens in production — from the WP admin, without custom code.
Basic JWT Authentication
Add login via JSON Web Tokens.
Token Generation
Issue access tokens on successful auth.
Token Validation
Verify token integrity on each request.
Token Refresh
Secure refresh with 64-char tokens and replay attack prevention.
Instant Revocation
Revoke compromised sessions immediately.
Token Dashboard
See every active token, owner, expiry, and last activity.
Auto-Revoke on Password Change
All sessions killed when a password is compromised.
Auto-Revoke on Email/Role Change
Sessions invalidated on identity or permission changes.
Analytics Dashboard
Success/failure rates, response times, 7d/30d/90d history.
GeoIP Tracking
Country detection from IP via MaxMind GeoLite2.
Rate Limiting
IP-based, 60 req/min default, configurable, HTTP 429 responses.
Security Headers
Automatic HSTS, X-Frame-Options, X-Content-Type-Options, XSS-Protection.
Token Family Tracking
Detects refresh token replay attacks by tracking token lineage.
All Settings via WordPress UI
No wp-config.php editing required.
Configurable Signing Algorithms
HS256, RS256, ES256, EdDSA and more — from the UI.
IP Anonymization
GDPR-compliant option to anonymize stored IP addresses.
Data Retention Policies
Configurable 1–365 day retention for analytics and token data.
Priority Support
Direct help from the developer.
Detailed Documentation
Guides, examples, and best practices.
30+ Developer Hooks & Filters
Actions and filters for deep integration.
| Feature | WP.org version | JWT Auth Pro |
|---|---|---|
| Core Authentication | ||
Basic JWT Authentication Add login via JSON Web Tokens. | Included in WP.org version | Included in JWT Auth Pro |
Token Generation Issue access tokens on successful auth. | Included in WP.org version | Included in JWT Auth Pro |
Token Validation Verify token integrity on each request. | Included in WP.org version | Included in JWT Auth Pro |
| Token Management | ||
Token Refresh Secure refresh with 64-char tokens and replay attack prevention. | Not included in WP.org version | Included in JWT Auth Pro |
Instant Revocation Revoke compromised sessions immediately. | Not included in WP.org version | Included in JWT Auth Pro |
Token Dashboard See every active token, owner, expiry, and last activity. | Not included in WP.org version | Included in JWT Auth Pro |
Auto-Revoke on Password Change All sessions killed when a password is compromised. | Not included in WP.org version | Included in JWT Auth Pro |
Auto-Revoke on Email/Role Change Sessions invalidated on identity or permission changes. | Not included in WP.org version | Included in JWT Auth Pro |
| Visibility & Security | ||
Analytics Dashboard Success/failure rates, response times, 7d/30d/90d history. | Not included in WP.org version | Included in JWT Auth Pro |
GeoIP Tracking Country detection from IP via MaxMind GeoLite2. | Not included in WP.org version | Included in JWT Auth Pro |
Rate Limiting IP-based, 60 req/min default, configurable, HTTP 429 responses. | Not included in WP.org version | Included in JWT Auth Pro |
Security Headers Automatic HSTS, X-Frame-Options, X-Content-Type-Options, XSS-Protection. | Not included in WP.org version | Included in JWT Auth Pro |
Token Family Tracking Detects refresh token replay attacks by tracking token lineage. | Not included in WP.org version | Included in JWT Auth Pro |
| Configuration & Compliance | ||
All Settings via WordPress UI No wp-config.php editing required. | Not included in WP.org version | Included in JWT Auth Pro |
Configurable Signing Algorithms HS256, RS256, ES256, EdDSA and more — from the UI. | Not included in WP.org version | Included in JWT Auth Pro |
IP Anonymization GDPR-compliant option to anonymize stored IP addresses. | Not included in WP.org version | Included in JWT Auth Pro |
Data Retention Policies Configurable 1–365 day retention for analytics and token data. | Not included in WP.org version | Included in JWT Auth Pro |
| Support & Developer Tools | ||
Priority Support Direct help from the developer. | Not included in WP.org version | Included in JWT Auth Pro |
Detailed Documentation Guides, examples, and best practices. | Not included in WP.org version | Included in JWT Auth Pro |
30+ Developer Hooks & Filters Actions and filters for deep integration. | Not included in WP.org version | Included in JWT Auth Pro |
Ready to upgrade from basic auth to complete API management?
Why teams upgrade
Six reasons developers move from free to Pro
“I need refresh tokens.”
Keep users logged in without storing passwords. Secure 64-character refresh tokens with family tracking detect replay attacks automatically.
Token Refresh + Replay Detection
“I need to revoke any token instantly.”
Revoke any token in a single click. Stop a compromised session from hitting your API before the next request lands.
Instant Revocation
“I need automatic protection on credential changes.”
Tokens auto-revoke when a user changes their password, email, or role — so one leaked credential never leaves the API wide open.
Auto-Revoke Rules
“I need to see every token at a glance.”
Every active token in one dashboard — owner, expiry, last activity, country of origin. No more guessing which app still holds a session.
Token Dashboard + GeoIP
“I need API analytics and rate limiting.”
Success and failure rates, response times, 7/30/90-day windows. Built-in IP rate limiting and automatic security headers on every response.
Analytics + Rate Limiting
“I need a UI instead of custom code.”
Drop your secret key into wp-config.php once. Everything else — signing algorithm, token lifetime, CORS, retention policy — lives in WordPress admin instead of code.
Configuration via WP Admin
Features
Not Just Authentication. Complete Token Control.
Token Dashboard
Every active token in one view — who owns it, when it was issued, when it expires, last activity. Revoke any token with one click.
Token management
Manage authentication tokens for API access and service integrations.
Usage Analytics
Authentication events, success and failure rates, response times, geographic distribution. Choose 7-day, 30-day, or 90-day windows.
Custom Claims
Add custom claims to JWT tokens using WordPress filters
add_filter('jwt_auth_token_before_sign', function($token, $user) {
$token['customer_type'] = get_user_meta($user->ID, 'customer_type', true);
$token['loyalty_points'] = get_user_meta($user->ID, 'loyalty_points', true);
$token['preferred_currency'] = get_user_meta($user->ID, 'currency', true);
$token['customer_id'] = get_user_meta($user->ID, 'customer_id', true);
$token['customer_email'] = get_user_meta($user->ID, 'customer_email', true);
return $token;
}, 10, 2);Automatic Revocation Policies
Tokens auto-revoke on password change, email change, or role change. One compromised account doesn’t mean open API access.
Security Audit Trail
Complete compliance logging with full context
Rate Limiting & Security Headers
IP-based rate limiting at 60 req/min (configurable), automatic HSTS, X-Frame-Options, and XSS protection headers. No nginx config required.
Admin Configuration Interface
All settings are managed through the admin interface.
Complete Features Overview
Explore all the features that make JWT Authentication Pro the most comprehensive authentication solution for WordPress. Each feature is designed with security, performance, and developer experience in mind.
Authentication & Token Management
Professional JWT Token Creation
Industry-standard JWT tokens with configurable expiration (minutes to years)
Multiple Signing Algorithms
Support for HS256, RS256, and all Firebase JWT library algorithms
Token Payload Customization
Add custom user data and claims to JWT token payload
Multi-Layer Token Validation
Signature, expiration, issuer, and revocation checks
Bearer Token Support
Standard Authorization header parsing
Secure Token Hashing
All tokens hashed with WordPress security functions before storage
Secure Refresh Tokens
Cryptographically secure refresh token generation
Independent Expiration Control
Separate expiration settings for JWT and refresh tokens (default 30 days)
Token Rotation
Automatic token rotation with family relationship maintenance
| Authentication & Token Management | |
Professional JWT Token Creation | Industry-standard JWT tokens with configurable expiration (minutes to years) |
Multiple Signing Algorithms | Support for HS256, RS256, and all Firebase JWT library algorithms |
Token Payload Customization | Add custom user data and claims to JWT token payload |
Multi-Layer Token Validation | Signature, expiration, issuer, and revocation checks |
Bearer Token Support | Standard Authorization header parsing |
Secure Token Hashing | All tokens hashed with WordPress security functions before storage |
Secure Refresh Tokens | Cryptographically secure refresh token generation |
Independent Expiration Control | Separate expiration settings for JWT and refresh tokens (default 30 days) |
Token Rotation | Automatic token rotation with family relationship maintenance |
What everyone is saying
60,000+ Sites Trust Our Authentication
Implementation
Add JWT Authentication in Minutes. Manage It Forever.
Generate Token
Authenticate users and issue JWT tokens with a single API call. Receive both user details and tokens in one seamless response.
Validate Token
Ensure robust security with built-in JWT validation. Verify token signatures and claims to confirm authenticity and expiration status.
Refresh Token
Keep users seamlessly authenticated while maintaining strong security. Automatically manage token expiration and renewal.
What happens after purchase
From checkout to live token dashboard in minutes
- STEP 01
Install Pro
Download the Pro zip from your account and upload it through Plugins → Add New in WordPress.
- STEP 02
Activate your license
Paste your license key once. Local and staging installs don’t count against the quota — develop freely.
- STEP 03
Configure JWT
Drop your secret key into
wp-config.phponce. Then pick signing algorithm, token lifetime, CORS, and retention policy from the WordPress admin UI. - STEP 04
Enable Pro features
Toggle the features you need — refresh tokens, auto-revoke rules, analytics, rate limiting. Each one is a single checkbox.
- STEP 05
Verify in the token dashboard
Hit your API. Watch tokens appear live with owner, expiry, IP, and country. Confirm success/failure analytics within minutes.
- STEP 06
14-day compatibility safety net
Hit a snag? Email support reaches the plugin author directly. If we can't make Pro work on your stack, you get a refund — no debate.
Pricing
Simple, site-based pricing — every plan is full Pro.
Every plan ships with the complete Pro feature set — token dashboard, refresh, revocation, analytics, rate limiting. Pick the plan by how many sites you need to secure: single site, small team (5 sites), or agency (20 sites).
14-day compatibility guarantee. Local and staging installs don't count against your license. One payment, no upsells inside the plugin.
Professional Single Site
Ideal for individual WordPress sites requiring robust, professional-grade API authentication solutions.
USD
per year
Features:
- 1 site
- Token Management Dashboard
- Token Refresh with Replay Detection
- Instant & Auto Revocation
- Usage Analytics (7d/30d/90d)
- Rate Limiting & Security Headers
- GeoIP Tracking
- All Settings via UI — No wp-config.php
- IP Anonymization & Data Retention
- 30+ Developer Hooks & Filters
- Priority Support
Professional Team (5 Sites)
Secure and manage multiple WordPress sites with ease—perfect for teams and small businesses.
USD
per year
Features:
- Up to 5 sites
- Token Management Dashboard
- Token Refresh with Replay Detection
- Instant & Auto Revocation
- Usage Analytics (7d/30d/90d)
- Rate Limiting & Security Headers
- GeoIP Tracking
- All Settings via UI — No wp-config.php
- IP Anonymization & Data Retention
- 30+ Developer Hooks & Filters
- Priority Support
Professional Agency (20 Sites)
Comprehensive API security tailored for agencies and developers managing multiple client sites.
USD
per year
Features:
- Up to 20 sites
- Token Management Dashboard
- Token Refresh with Replay Detection
- Instant & Auto Revocation
- Usage Analytics (7d/30d/90d)
- Rate Limiting & Security Headers
- GeoIP Tracking
- All Settings via UI — No wp-config.php
- IP Anonymization & Data Retention
- 30+ Developer Hooks & Filters
- Priority Support
- White-labeling
14-day compatibility guarantee — every plan, every billing option.
If Pro can't run on your stack and our support team can't make it work, you get a refund. Local and staging installs are free — they don't count against your license quota.
Note: JWT Authentication Pro requires PHP 8.1 or higher
Common Questions
Get the answers you need
- What does Pro do that the free plugin does not?
The free plugin issues and validates JWT tokens — that is it. Pro adds the production layer most teams build by hand: a token dashboard (every active token with owner, expiry, last activity, and country), refresh tokens with replay-attack detection, instant and automatic revocation, an analytics dashboard with success/failure rates over 7/30/90 days, IP-based rate limiting, automatic security headers, configurable signing algorithms, and GDPR-friendly data retention. Aside from the JWT secret key in wp-config.php, every Pro setting is managed from the WordPress admin UI.
- Does this plugin work out of the box?
Yes. When you install JWT Authentication Pro, a professional JWT authentication layer is added on top of the WordPress REST API. You can create, validate, refresh, and revoke JWT tokens for your WordPress users so they can authenticate from mobile apps, SPAs, or any external system. You will still need to implement the calling logic in those clients — Pro provides the authentication infrastructure and management layer; the client-side request code is up to you.
- What happens if Pro does not work on my setup?
Every plan includes a 14-day compatibility guarantee. Open a support ticket and we work the issue with you directly. If Pro genuinely cannot run on your stack and we cannot resolve it, you get a refund (payment processor fees, typically 3–5%, are deducted). You must work with support first before requesting the refund — most "incompatibility" reports turn out to be solvable in a single email exchange.
- Does an installation on a local environment count as a site for my license?
No. Local and staging environments do not count against your license quota. Develop and test Pro on as many local and staging installs as you need. The license activates only when you deploy to a production server.
- Do you offer lifetime access?
Yes. Every plan has both a yearly and a lifetime option. Lifetime is a one-time payment for unlimited future use of the version line you purchase, including all updates and support during the support window. Pricing is shown above — toggle between yearly and lifetime on the pricing cards.
- Do you offer a free trial?
No traditional free trial — but the 14-day compatibility guarantee functions as one for the only risk that matters: whether Pro runs on your specific stack. Install, configure, exercise it against your API. If it cannot be made to work and our support team confirms it, you get a refund.
- What are the system requirements for JWT Authentication Pro?
JWT Authentication Pro requires PHP 8.1 or higher and WordPress 5.0 or higher with the REST API enabled. You will need to add your JWT secret key to wp-config.php once during setup — all other configuration (signing algorithm, token lifetime, CORS, retention policies, etc.) is managed through the WordPress admin UI. Your server needs the HTTP Authorization header enabled.
- How does the token refresh mechanism work?
When a user authenticates, they receive an access token and a refresh token. The access token expires after a configurable period (default 7 days) and is used for API requests. When it expires, the client uses the refresh token (valid for 30 days by default) to obtain a new access token without re-prompting the user. Refresh tokens are 64 characters, tracked as a family, and detect replay attacks automatically.
- What happens to tokens when a user changes their password, email, or role?
By default, all tokens for that user are automatically revoked on password, email, or role change. This protects you from leaked credentials remaining valid after a reset. Each auto-revoke rule can be toggled on or off independently, and you can customize behavior further using filters.
- Can I track and analyze JWT usage?
Yes. JWT Authentication Pro ships with an analytics dashboard that tracks authentication attempts, success and failure rates, response times, active users, and geographic distribution (via MaxMind GeoLite2). You can scope the view to the last 7, 30, or 90 days and configure how long raw data is retained.
- What signing algorithms are supported?
The plugin supports HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, and EdDSA. You can choose your algorithm through the settings UI or via the jwt_auth_algorithm filter.
- How can I customize token claims and validation rules?
Use the jwt_auth_token_before_sign and jwt_auth_token_before_dispatch filters to modify token claims and response payloads. Pro also provides an admin interface for configuring custom validation rules, token lifetime, and security policies — so most adjustments do not require code.
- How do I handle CORS in my application?
CORS support is enabled in the plugin settings. The plugin provides filters to customize CORS headers and origins to match your application’s needs.
- Is JWT Authentication Pro a Single Sign-On (SSO) system?
No, JWT Authentication Pro is not an SSO solution. It does not integrate with external identity providers like Google, Microsoft, or SAML systems. It is specifically designed to add token-based authentication to the WordPress REST API for external applications, not for cross-platform single sign-on.
- Does this plugin replace WordPress user management or login system?
No, JWT Authentication Pro does not replace WordPress's built-in user authentication system. It does not handle user registration, password resets, or traditional WordPress login pages. It adds token-based authentication specifically for API access while keeping all existing WordPress functionality intact.
- Can I use this for regular WordPress website sessions?
No. JWT Authentication Pro is not designed for managing regular WordPress website sessions or cookie-based authentication. It is specifically built for stateless, token-based API authentication used by external applications like mobile apps, SPAs, or headless WordPress setups.
- Is this a general website security plugin?
No, JWT Authentication Pro is not a general security plugin like Wordfence or Sucuri. It does not protect against malware, secure login pages, or provide general website security features. Its security features are specifically designed for protecting API endpoints and managing token-based authentication.
- Who is behind JWT Authentication Pro?
JWT Authentication Pro is developed by Enrique Chavez (@tmeister), a full-stack developer focused on WordPress and open-source technologies. Enrique has contributed to the WordPress ecosystem for years, creating plugins and tools that help developers build more efficiently. JWT Authentication Pro is designed to be simple, flexible, and developer-friendly.