JWT authentication your WordPress API can finally see, control, and manage.

Generate tokens, track who's using them, revoke access instantly. The free plugin handles auth. Pro gives you visibility and control.

View PricingDocumentation

Comparison

Free Plugin vs Pro: Basic Auth vs Complete Management

Both add JWT to WordPress. Pro transforms basic authentication into a managed system with visibility, control, and enterprise features.
WP.org versionFree forever
JWT Auth Prostarts at $59.99/yr
Core Authentication

Basic JWT Authentication

Add login via JSON Web Tokens.

WP.org versionIncluded in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Token Generation

Issue access tokens on successful auth.

WP.org versionIncluded in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Token Validation

Verify token integrity on each request.

WP.org versionIncluded in WP.org version
JWT Auth ProIncluded in JWT Auth Pro
Token Management

Token Refresh

Secure refresh with 64-char tokens and replay attack prevention.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Instant Revocation

Revoke compromised sessions immediately.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Token Dashboard

See every active token, owner, expiry, and last activity.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Auto-Revoke on Password Change

All sessions killed when a password is compromised.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Auto-Revoke on Email/Role Change

Sessions invalidated on identity or permission changes.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro
Visibility & Security

Analytics Dashboard

Success/failure rates, response times, 7d/30d/90d history.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

GeoIP Tracking

Country detection from IP via MaxMind GeoLite2.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Rate Limiting

IP-based, 60 req/min default, configurable, HTTP 429 responses.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Security Headers

Automatic HSTS, X-Frame-Options, X-Content-Type-Options, XSS-Protection.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Token Family Tracking

Detects refresh token replay attacks by tracking token lineage.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro
Configuration & Compliance

All Settings via WordPress UI

No wp-config.php editing required.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Configurable Signing Algorithms

HS256, RS256, ES256, EdDSA and more — from the UI.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

IP Anonymization

GDPR-compliant option to anonymize stored IP addresses.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Data Retention Policies

Configurable 1–365 day retention for analytics and token data.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro
Support & Developer Tools

Priority Support

Direct help from the developer.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Detailed Documentation

Guides, examples, and best practices.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

30+ Developer Hooks & Filters

Actions and filters for deep integration.

WP.org versionNot included in WP.org version
JWT Auth ProIncluded in JWT Auth Pro

Ready to upgrade from basic auth to complete API management?

Upgrade to Pro — $59.99/yearGet Lifetime Access — $179.99

Features

Not Just Authentication. Complete Token Control.

The free plugin generates tokens and walks away. Pro tracks every token, logs every access, and lets you revoke instantly. This is what the management layer looks like.

Token Dashboard

Every active token in one view — who owns it, when it was issued, when it expires, last activity. Revoke any token with one click.

Token management

Manage authentication tokens for API access and service integrations.

Jessica Smith
Last used: June 13, 2025 3:08 am
Active
Jane Doe
Last used: April 2, 2025 1:40 am
Revoked
Sam Peterson
Last used: January 1, 2025 1:40 am
Expired
Nayeli Strosin
Last used: June 13, 2025 3:08 am
Active
Brett Rogahn
Last used: June 10, 2025 10:34 am
Revoked

Usage Analytics

Authentication events, success and failure rates, response times, geographic distribution. Choose 7-day, 30-day, or 90-day windows.

Custom Claims

Add custom claims to JWT tokens using WordPress filters

functions.php
add_filter('jwt_auth_token_before_sign', function($token, $user) {
    $token['customer_type'] = get_user_meta($user->ID, 'customer_type', true);
    $token['loyalty_points'] = get_user_meta($user->ID, 'loyalty_points', true);
    $token['preferred_currency'] = get_user_meta($user->ID, 'currency', true);
    $token['customer_id'] = get_user_meta($user->ID, 'customer_id', true);
    $token['customer_email'] = get_user_meta($user->ID, 'customer_email', true);
    return $token;
}, 10, 2);

Automatic Revocation Policies

Tokens auto-revoke on password change, email change, or role change. One compromised account doesn’t mean open API access.

Security Audit Trail

Complete compliance logging with full context

Created
June 13, 2025 3:08 am
Client Context
IP: 110.11.194.83
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Token Details
Revoked
Hash: bb414972b6df2f5a902...
User: John Doe (ID: 1)
Last Used
June 13, 2025 3:08 am
Revoked
June 13, 2025 3:08 am

Rate Limiting & Security Headers

IP-based rate limiting at 60 req/min (configurable), automatic HSTS, X-Frame-Options, and XSS protection headers. No nginx config required.

Admin Configuration Interface

All settings are managed through the admin interface.

Token Settings
JWT Token Expiration:
7 days
Refresh Token Expiration:
30 days
Advanced Options
Enable CORS:
Analytics Retention:
90 days
Anonymize IP:

Complete Features Overview

Explore all the features that make JWT Authentication Pro the most comprehensive authentication solution for WordPress. Each feature is designed with security, performance, and developer experience in mind.

Authentication & Token Management

Professional JWT Token Creation

Industry-standard JWT tokens with configurable expiration (minutes to years)

Multiple Signing Algorithms

Support for HS256, RS256, and all Firebase JWT library algorithms

Token Payload Customization

Add custom user data and claims to JWT token payload

Multi-Layer Token Validation

Signature, expiration, issuer, and revocation checks

Bearer Token Support

Standard Authorization header parsing

Secure Token Hashing

All tokens hashed with WordPress security functions before storage

Secure Refresh Tokens

Cryptographically secure refresh token generation

Independent Expiration Control

Separate expiration settings for JWT and refresh tokens (default 30 days)

Token Rotation

Automatic token rotation with family relationship maintenance

What everyone is saying

60,000+ Sites Trust Our Authentication

From side projects to enterprise APIs—developers choose JWT Pro when they need authentication they can see and control.
S

Steffi

Perfect to use for API

JWT is brillant and it works out of the box. Further to this is it really stable and does it job. Thanks

Martin Šenkeřík

High quality plugin

Delivers what is promised. And that's quite comprehensive list of features. Recommended.
M

MadeByCaliper

Easy, stable, powerful, extensible

Allowed me to get up and running with a Vue.js frontend authentication flow within minutes. Really great documentation too!
s

softradeweb

Very useful plugin

I'm using this plugin since some months and it works perfectly, a simple way to authenticate from ext. apps
JW

James Whayman

Works great, thank you at WildPress

Exactly as described, very easy to use and clear documentation. Thank you
MK

Mwale Kalenga

Great plugin!

I've been using the plugin for over year, it's very good and user friendly!
g

graficowalab

Simply perfect!

I integrated it with my Flutter app, and it works flawlessly.
S

Sjors

Easy to use and extend

Perfect! This plugin is very easy to install and use. It's also easy to extend and add your own return data.
AY

Asfand Yar Ali Khan

Works fine!

It totally works fine. It was challenging to set it up in start but this plugin is helping me to extend the functionalities for my mobile app.
W

William

Great Plugin!

Using this plugin for over 1 year now and it works very well ! Thank you for your time and energy to develop this app !
d

dark_diesel

Great plugin!

Thank you for this solution! Exactly what we needed for our project.
i

iamdilipsuthar

Awesome plugin thankyou

Awesome plugin! Perfect for managing authentication tokens in our application.
s

shanart

Awesome!

This plugin made JWT authentication incredibly simple to implement. Highly recommended!
x

xero2112

Perfect

Does exactly what it states! Have been using this plugin for about a year now and haven't had any problems! Also, haven't had any compatibility issues. Great job dev!

Implementation

Add JWT Authentication in Minutes. Manage It Forever.

Drop-in authentication for any WordPress REST API. Works with React, Vue, mobile apps, or any client. Complete management dashboard included.

Generate Token

Authenticate users and issue JWT tokens with a single API call. Receive both user details and tokens in one seamless response.

User Authentication
Active
Credential Validation
Active

Validate Token

Ensure robust security with built-in JWT validation. Verify token signatures and claims to confirm authenticity and expiration status.

Signature Check
Verified
Claims Validation
Verified
Expiration Status
Verified

Refresh Token

Keep users seamlessly authenticated while maintaining strong security. Automatically manage token expiration and renewal.

Auto Renewal
Enabled
Lifecycle Management
Enabled
Session Continuity
Enabled

Pricing

Simple, Site-Based Pricing

All plans include the exact same powerful features. Just pick how many sites you need to secure: single site, small team (5 sites), or agency (20 sites).

Professional Single Site

Ideal for individual WordPress sites requiring robust, professional-grade API authentication solutions.

$59.99

USD

per year

Choose plan

Features:

  • 1 site
  • Token Management Dashboard
  • Token Refresh with Replay Detection
  • Instant & Auto Revocation
  • Usage Analytics (7d/30d/90d)
  • Rate Limiting & Security Headers
  • GeoIP Tracking
  • All Settings via UI — No wp-config.php
  • IP Anonymization & Data Retention
  • 30+ Developer Hooks & Filters
  • Priority Support

Professional Team (5 Sites)

Secure and manage multiple WordPress sites with ease—perfect for teams and small businesses.

$149.99

USD

per year

Choose plan

Features:

  • Up to 5 sites
  • Token Management Dashboard
  • Token Refresh with Replay Detection
  • Instant & Auto Revocation
  • Usage Analytics (7d/30d/90d)
  • Rate Limiting & Security Headers
  • GeoIP Tracking
  • All Settings via UI — No wp-config.php
  • IP Anonymization & Data Retention
  • 30+ Developer Hooks & Filters
  • Priority Support

Professional Agency (20 Sites)

Comprehensive API security tailored for agencies and developers managing multiple client sites.

$339.99

USD

per year

Choose plan

Features:

  • Up to 20 sites
  • Token Management Dashboard
  • Token Refresh with Replay Detection
  • Instant & Auto Revocation
  • Usage Analytics (7d/30d/90d)
  • Rate Limiting & Security Headers
  • GeoIP Tracking
  • All Settings via UI — No wp-config.php
  • IP Anonymization & Data Retention
  • 30+ Developer Hooks & Filters
  • Priority Support
  • White-labeling

Note: JWT Authentication Pro requires PHP 8.1 or higher

Common Questions

Get the answers you need

Quick solutions to implementation questions and technical details about JWT Authentication Pro.
Does this plugin work out of the box?

When you install JWT Authentication Pro, a professional JWT authentication layer is added on top of the WordPress REST API. This enables you to create, validate, and revoke JWT tokens for your WordPress users, allowing them to authenticate and make API requests from external systems, mobile apps, or web applications. However, you will need to implement the authentication logic in those external systems or applications. This plugin provides the JWT authentication infrastructure and advanced token management - the client-side implementation is up to you.

Is JWT Authentication Pro a Single Sign-On (SSO) system?

No, JWT Authentication Pro is not an SSO solution. It does not integrate with external identity providers like Google, Microsoft, or SAML systems. It is specifically designed to add token-based authentication to the WordPress REST API for external applications, not for cross-platform single sign-on.

Does this plugin replace WordPress user management or login system?

No, JWT Authentication Pro does not replace WordPress's built-in user authentication system. It does not handle user registration, password resets, or traditional WordPress login pages. It adds token-based authentication specifically for API access while keeping all existing WordPress functionality intact.

Can I use this for regular WordPress website sessions?

No, JWT Authentication Pro is not designed for managing regular WordPress website sessions or cookie-based authentication. It is specifically built for stateless, token-based API authentication used by external applications like mobile apps, SPAs, or headless WordPress setups.

Is this a general website security plugin?

No, JWT Authentication Pro is not a general security plugin like Wordfence or Sucuri. It does not protect against malware, secure login pages, or provide general website security features. Its security features are specifically designed for protecting API endpoints and managing token-based authentication.

What are the system requirements for JWT Authentication Pro?

JWT Authentication Pro requires PHP 8.1 or higher and WordPress 5.0 or higher with REST API enabled. All configuration is managed through the WordPress admin UI — no wp-config.php editing required. (The free plugin requires adding a secret key to wp-config.php, but Pro handles this automatically.) Your server needs HTTP Authorization Header enabled.

How does token refresh mechanism work?

When you authenticate, you receive both an access token and a refresh token. The access token is used for API requests and expires after a configurable period (default 7 days). When it expires, you can use the refresh token (valid for 30 days by default) to obtain a new access token without re-authenticating with username and password.

Can I track and analyze JWT usage?

Yes, JWT Authentication Pro includes a detailed analytics dashboard that tracks authentication attempts, token usage, active users, etc. You can configure retention periods as well.

What happens to tokens when a user changes their password?

By default, all tokens are automatically revoked when a user changes their password, email, or role. This behavior can be customized using filters. The Pro version gives you granular control over token lifecycle management.

What signing algorithms are supported?

The plugin supports multiple signing algorithms including HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, and PS512. You can choose and configure your preferred algorithm through settings or using the jwt_auth_algorithm filter.

How can I customize token claims and validation rules?

You can use filters like jwt_auth_token_before_sign and jwt_auth_token_before_dispatch to modify token claims and data. The Pro version also provides an interface for configuring custom validation rules, token lifetime, and security policies.

How do I handle CORS in my application?

CORS support can be enabled in the plugin settings. The plugin provides filters to customize CORS headers.

Do you offer refunds?

Yes, we offer a 14-day compatibility guarantee. Refunds are provided only for unresolvable technical compatibility issues that our support team cannot solve. You must work with our support team first before requesting a refund. Payment processor fees (3-5%) are deducted from approved refunds.

Do you offer a free trial?

No, we do not offer a free trial. However, we provide a 14-day compatibility guarantee for technical incompatibility issues that our support team cannot resolve.

Do you offer lifetime access?

Yes, we offer lifetime access to JWT Authentication Pro. You can purchase the plugin once and use it as long as you want.

Does an installation on a local environment count as a site for my license?

No, a site on a local environment does not count as a site for your license. You can use JWT Authentication Pro on your local environment without any restrictions. However, if you deploy your site to a production server, you will need to activate the license key.

Who is behind JWT Authentication Pro?

JWT Authentication Pro is developed by Enrique Chavez (@tmeister), a seasoned full-stack developer with a strong focus on WordPress and open-source technologies. Enrique has contributed to the WordPress ecosystem for years, creating plugins, and tools that help developers build more efficiently. His commitment to open-source development ensures that his projects, including JWT Authentication Pro, are designed to be simple, flexible, and developer-friendly.

Upgrade to Pro — $59.99/year
or get Lifetime for $179.9914-day guarantee