Tuesday, February 18, 2025
5 Use Cases for JWT Authentication in WordPress
Enrique Chavez
Securing your WordPress API properly matters, especially when building mobile apps, modern web applications, or connecting with external services.
JSON Web Tokens (JWT) provide a straightforward API authentication approach that improves traditional cookie-based methods. JWT Authentication Pro for WordPress makes implementing this technology simple and effective.
This post explores five real-world use cases for JWT authentication in WordPress projects. Each section includes practical examples and code samples that you can adapt to your projects.
Understanding JWT: A Quick Primer
Before we explore specific use cases, let's briefly understand what makes JWT special.
A JSON Web Token consists of three parts:
- Header: Contains the token type and signing algorithm
- Payload: Contains the claims or user data
- Signature: Verifies the token hasn't been tampered with
The key advantages of JWT include:
- Stateless: No server-side session storage is required
- Self-contained: Contains all necessary user information
- Portable: Works across different domains and platforms
- Secure: Digitally signed to prevent tampering
Let's see how this technology can be applied in real WordPress projects.
Use Case #1: Building Custom Mobile Apps
One of the most common use cases for JWT authentication is developing native mobile applications that communicate with your WordPress site. Traditional cookie-based authentication doesn't work well in mobile environments, making JWT the perfect solution.
The Challenge
When building a mobile app that connects to your WordPress site, you need:
- Secure user authentication
- Persistent sessions that survive app restarts
- Efficient API communication
- Cross-platform compatibility
How JWT Solves It
JWT authentication provides a seamless solution by:
- Authenticating users once and issuing a token
- Storing the token securely on the device
- Including the token in the header of each API request
- Automatically refreshing expired tokens without disrupting the user experience
Implementation Example
Here's how you might implement JWT authentication in a React Native app connecting to WordPress:
src/auth/loginService.js
// File: src/auth/loginService.js
// Function to authenticate user and get JWT token
const loginUser = async (username, password) => {
try {
const response = await fetch('https://yoursite.com/wp-json/jwt-auth/v1/token', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
username,
password,
}),
});
const data = await response.json();
if (!response.ok) {
throw new Error(data.message || 'Authentication failed');
}
// Store tokens and user data based on TokenResponse schema
await SecureStore.setItemAsync('accessToken', data.token);
await SecureStore.setItemAsync('refreshToken', data.refresh_token);
await SecureStore.setItemAsync('userData', JSON.stringify({
id: data.user_id,
email: data.user_email,
displayName: data.user_display_name,
nicename: data.user_nicename
}));
return true;
} catch (error) {
console.error('Login error:', error);
return false;
}
};
// Function to make authenticated API requests
const fetchProtectedData = async () => {
try {
const token = await SecureStore.getItemAsync('accessToken');
if (!token) {
throw new Error('No authentication token found');
}
const response = await fetch('https://yoursite.com/wp-json/wp/v2/posts', {
method: 'GET',
headers: {
'Authorization': `Bearer ${token}`,
},
});
// Handle token expiration with refresh mechanism
if (response.status === 403) {
const errorData = await response.json();
if (errorData.code === 'jwt_auth_invalid_token') {
const newToken = await refreshToken();
if (newToken) {
return fetchProtectedData(); // Retry with new token
} else {
throw new Error('Session expired. Please login again.');
}
}
}
if (!response.ok) {
const errorData = await response.json();
throw new Error(errorData.message || 'API request failed');
}
return await response.json();
} catch (error) {
console.error('API request failed:', error);
throw error;
}
};
// Function to refresh token
const refreshToken = async () => {
try {
const refreshToken = await SecureStore.getItemAsync('refreshToken');
if (!refreshToken) {
return null;
}
const response = await fetch('https://yoursite.com/wp-json/jwt-auth/v1/token/refresh', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
refresh_token: refreshToken,
}),
});
if (!response.ok) {
return null;
}
const data = await response.json();
// Update tokens based on TokenResponse schema
await SecureStore.setItemAsync('accessToken', data.token);
if (data.refresh_token) {
await SecureStore.setItemAsync('refreshToken', data.refresh_token);
}
return data.token;
} catch (error) {
console.error('Token refresh failed:', error);
return null;
}
};
// Function to validate token
const validateToken = async (token) => {
try {
const response = await fetch('https://yoursite.com/wp-json/jwt-auth/v1/token/validate', {
method: 'POST',
headers: {
'Authorization': `Bearer ${token}`,
},
});
if (!response.ok) {
return false;
}
const data = await response.json();
return data.code === 'jwt_auth_valid_token';
} catch (error) {
console.error('Token validation failed:', error);
return false;
}
};With JWT Authentication Pro, you get built-in refresh token functionality, token revocation capabilities, and a management dashboard to track all active sessions - essential features for production mobile apps.
Use Case #2: Headless WordPress / Decoupled Frontend
The rise of modern JavaScript frameworks has made headless WordPress implementations increasingly popular. Whether using React, Vue, or Angular, JWT authentication provides the perfect bridge between your front end and WordPress back end.
The Challenge
Headless WordPress setups face several authentication hurdles:
- Cross-domain authentication issues
- Managing user sessions in single-page applications
- Securing API endpoints while maintaining performance
- Handling authentication across multiple frontend services
How JWT Solves It
JWT authentication elegantly addresses these challenges by:
- Providing a domain-independent authentication mechanism
- Eliminating CORS issues related to cookies
- Enabling stateless, scalable authentication
- Allowing multiple frontends to authenticate against the same WordPress backend
Implementation Example
Here's a simple implementation using React and the WordPress JWT authentication:
src/context/AuthContext.js
// File: src/context/AuthContext.js
import React, { useState, useEffect, createContext, useContext } from 'react';
import axios from 'axios';
// Create authentication context
const AuthContext = createContext();
export const AuthProvider = ({ children }) => {
const [currentUser, setCurrentUser] = useState(null);
const [loading, setLoading] = useState(true);
const [error, setError] = useState(null);
// Initialize auth state from localStorage
useEffect(() => {
const token = localStorage.getItem('jwt_token');
const user = localStorage.getItem('user');
if (token && user) {
setCurrentUser(JSON.parse(user));
axios.defaults.headers.common['Authorization'] = `Bearer ${token}`;
}
setLoading(false);
}, []);
// Login function using JWT Auth Pro
const login = async (username, password) => {
try {
setLoading(true);
const response = await axios.post('https://your-wordpress-site.com/wp-json/jwt-auth/v1/token', {
username,
password
});
// TokenResponse schema properties
const { token, refresh_token, user_id, user_email, user_nicename, user_display_name } = response.data;
// Store tokens and user data
localStorage.setItem('jwt_token', token);
localStorage.setItem('refresh_token', refresh_token);
const userData = {
id: user_id,
email: user_email,
nicename: user_nicename,
displayName: user_display_name
};
localStorage.setItem('user', JSON.stringify(userData));
// Set auth header for future requests
axios.defaults.headers.common['Authorization'] = `Bearer ${token}`;
setCurrentUser(userData);
setError(null);
return true;
} catch (err) {
const errorMessage = err.response?.data?.message || 'Authentication failed';
setError(errorMessage);
return false;
} finally {
setLoading(false);
}
};
// Logout function
const logout = () => {
localStorage.removeItem('jwt_token');
localStorage.removeItem('refresh_token');
localStorage.removeItem('user');
delete axios.defaults.headers.common['Authorization'];
setCurrentUser(null);
};
// Token refresh function
const refreshAuthToken = async () => {
try {
const refreshToken = localStorage.getItem('refresh_token');
if (!refreshToken) {
throw new Error('No refresh token available');
}
const response = await axios.post('https://your-wordpress-site.com/wp-json/jwt-auth/v1/token/refresh', {
refresh_token: refreshToken
});
// TokenResponse schema
const { token, refresh_token } = response.data;
localStorage.setItem('jwt_token', token);
if (refresh_token) {
localStorage.setItem('refresh_token', refresh_token);
}
axios.defaults.headers.common['Authorization'] = `Bearer ${token}`;
return true;
} catch (err) {
// Check error code from Error schema
const errorCode = err.response?.data?.code;
console.error(`Token refresh failed: ${errorCode}`);
logout(); // Force logout on refresh failure
return false;
}
};
// Add interceptor to handle token expiration
axios.interceptors.response.use(
response => response,
async error => {
const originalRequest = error.config;
// Check for invalid token error from Error schema
if (error.response?.status === 403 &&
error.response?.data?.code === 'jwt_auth_invalid_token' &&
!originalRequest._retry) {
originalRequest._retry = true;
if (await refreshAuthToken()) {
// Retry the original request with new token
return axios(originalRequest);
}
}
return Promise.reject(error);
}
);
// Validate token function using ValidationResponse schema
const validateToken = async () => {
try {
const token = localStorage.getItem('jwt_token');
if (!token) {
return false;
}
const response = await axios.post(
'https://your-wordpress-site.com/wp-json/jwt-auth/v1/token/validate',
{},
{
headers: {
'Authorization': `Bearer ${token}`
}
}
);
// Validation response check based on schema
return response.data.code === 'jwt_auth_valid_token';
} catch (error) {
console.error('Token validation failed:', error.response?.data?.message);
return false;
}
};
return (
<AuthContext.Provider value={{
currentUser,
login,
logout,
loading,
error,
validateToken,
refreshToken: refreshAuthToken
}}>
{children}
</AuthContext.Provider>
);
};
// Custom hook for using authentication
export const useAuth = () => useContext(AuthContext);This implementation creates a complete authentication system for your headless WordPress setup, including token storage, automatic refresh, and error handling.
Use Case #3: Third-Party Service Integration
Modern WordPress sites often need to connect with external services and APIs. JWT authentication provides a secure way to authorize these integrations without compromising security.
The Challenge
When integrating third-party services with WordPress, you need to:
- Provide secure, programmatic access to your WordPress data
- Control exactly what each service can access
- Monitor and manage external access
- Revoke access when needed
How JWT Solves It
JWT authentication excels in service-to-service scenarios by:
- Providing machine-to-machine authentication
- Supporting fine-grained authorization through token claims
- Enabling centralized access management
- Allowing token revocation for compromised integrations
Implementation Example
Here's how you might implement a service account for a third-party integration:
includes/service-integrations.php
<?php
// File: includes/service-integrations.php
/**
* Create a service account for third-party integration using JWT Auth Pro
*/
function create_service_integration_account($service_name, $capabilities = []) {
// Generate a strong username and password
$username = 'service_' . $service_name . '_' . uniqid();
$password = wp_generate_password(24, true, true);
// Create the user with limited capabilities
$user_id = wp_create_user($username, $password, $username . '@example.com');
if (is_wp_error($user_id)) {
return $user_id;
}
// Set role and capabilities
$user = new WP_User($user_id);
$user->set_role('custom_api_user'); // Custom role with minimal permissions
// Add specific capabilities if needed
foreach ($capabilities as $cap) {
$user->add_cap($cap);
}
// Use the standard JWT Auth endpoint to get a token
$request = new WP_REST_Request('POST', '/jwt-auth/v1/token');
$request->set_param('username', $username);
$request->set_param('password', $password);
$response = rest_do_request($request);
$data = $response->get_data();
if (is_wp_error($response) || $response->get_status() !== 200) {
// Clean up on failure
wp_delete_user($user_id);
$error_message = is_wp_error($response) ? $response->get_error_message() : $data['message'];
return new WP_Error(
'jwt_auth_token_creation_failed',
$error_message,
['status' => 500]
);
}
// Store service information for management - using TokenResponse schema properties
$service_integration = [
'user_id' => $user_id,
'created' => time(),
'token' => $data['token'],
'refresh_token' => $data['refresh_token'],
'expires' => time() + (90 * DAY_IN_SECONDS) // Assumption for tracking purposes
];
update_option('service_integration_' . $service_name, $service_integration);
// Return service credentials following TokenResponse schema
return [
'access_token' => $data['token'],
'refresh_token' => $data['refresh_token'],
'user_id' => $data['user_id'],
'user_email' => $data['user_email'],
'expires_in' => 90 * DAY_IN_SECONDS, // Assumption based on default settings
'service' => $service_name,
'created' => time()
];
}
/**
* Refresh a service integration token
*/
function refresh_service_integration_token($service_name) {
$service_data = get_option('service_integration_' . $service_name);
if (!$service_data || empty($service_data['refresh_token'])) {
return new WP_Error(
'invalid_service',
'Service integration not found or missing refresh token',
['status' => 404]
);
}
// Use the refresh token endpoint
$request = new WP_REST_Request('POST', '/jwt-auth/v1/token/refresh');
$request->set_param('refresh_token', $service_data['refresh_token']);
$response = rest_do_request($request);
$data = $response->get_data();
if (is_wp_error($response) || $response->get_status() !== 200) {
$error_message = is_wp_error($response) ? $response->get_error_message() : $data['message'];
return new WP_Error(
'token_refresh_failed',
$error_message,
['status' => 500]
);
}
// Update stored token information based on TokenResponse schema
$service_data['token'] = $data['token'];
$service_data['refresh_token'] = $data['refresh_token'];
$service_data['last_refreshed'] = time();
update_option('service_integration_' . $service_name, $service_data);
return [
'token' => $data['token'],
'refresh_token' => $data['refresh_token'],
'expires_in' => 90 * DAY_IN_SECONDS, // Assumption
'refreshed_at' => time()
];
}
/**
* Validate a service token
*/
function validate_service_token($service_name) {
$service_data = get_option('service_integration_' . $service_name);
if (!$service_data || empty($service_data['token'])) {
return false;
}
// Use the validation endpoint
$request = new WP_REST_Request('POST', '/jwt-auth/v1/token/validate');
$request->add_header('Authorization', 'Bearer ' . $service_data['token']);
$response = rest_do_request($request);
$data = $response->get_data();
// Return validation result according to ValidationResponse schema
if (!is_wp_error($response) && $response->get_status() === 200) {
return $data['code'] === 'jwt_auth_valid_token';
}
return false;
}
?>With JWT Authentication Pro, you can track all service tokens from the management dashboard, set appropriate expiration times, and instantly revoke access if a security issue arises.
Use Case #4: Custom WooCommerce API Extensions
WooCommerce powers millions of online stores, many of which require custom API integrations. JWT authentication provides a secure foundation for extending WooCommerce's API capabilities.
The Challenge
Custom WooCommerce API implementations often struggle with:
- Secure customer authentication
- Scalable order processing
- Custom checkout flows
- Integrating with inventory and fulfillment systems
How JWT Solves It
JWT authentication enhances WooCommerce API security by:
- Providing a standardized authentication mechanism for all extensions
- Supporting customer-specific tokens with appropriate permissions
- Enabling secure machine-to-machine communication for order processing
- Simplifying multi-vendor authentication
Implementation Example
Here's an example of extending WooCommerce's REST API with JWT authentication:
includes/custom-woocommerce-api.php
<?php
// File: includes/custom-woocommerce-api.php
/**
* Register custom WooCommerce API endpoints with JWT Auth Pro protection
*/
function register_custom_woocommerce_api_endpoints() {
register_rest_route('wc-custom/v1', '/customer-orders', [
'methods' => 'GET',
'callback' => 'get_customer_orders_callback',
// JWT Auth Pro handles all token validation automatically
// We just need the WooCommerce-specific permission check
'permission_callback' => function() {
return current_user_can('read_order');
}
]);
register_rest_route('wc-custom/v1', '/quick-checkout', [
'methods' => 'POST',
'callback' => 'process_quick_checkout_callback',
'permission_callback' => function() {
return current_user_can('create_order');
}
]);
register_rest_route('wc-custom/v1', '/product-inventory', [
'methods' => 'GET',
'callback' => 'get_product_inventory_callback',
'permission_callback' => function() {
return current_user_can('read_product');
}
]);
}
add_action('rest_api_init', 'register_custom_woocommerce_api_endpoints');
/**
* Callback for customer orders endpoint
* JWT Auth Pro handles authentication before this function is called
*/
function get_customer_orders_callback($request) {
// Since JWT Auth Pro has already authenticated the user,
// we can simply use the current user ID
$user_id = get_current_user_id();
// Get order parameters
$per_page = $request->get_param('per_page') ? intval($request->get_param('per_page')) : 10;
$page = $request->get_param('page') ? intval($request->get_param('page')) : 1;
$status = $request->get_param('status') ? $request->get_param('status') : 'any';
// Get orders for the current customer
$orders = wc_get_orders([
'customer_id' => $user_id,
'page' => $page,
'limit' => $per_page,
'type' => 'shop_order',
'status' => $status
]);
if (empty($orders)) {
return new WP_REST_Response([], 200);
}
$response = [];
foreach ($orders as $order) {
$response[] = [
'id' => $order->get_id(),
'number' => $order->get_order_number(),
'status' => $order->get_status(),
'date_created' => $order->get_date_created()->format('c'),
'total' => $order->get_total(),
'currency' => $order->get_currency(),
'payment_method' => $order->get_payment_method_title(),
'shipping_method' => $order->get_shipping_method(),
'line_items' => get_simplified_line_items($order),
'shipping_address' => $order->get_address('shipping'),
'billing_address' => $order->get_address('billing')
];
}
return new WP_REST_Response($response, 200);
}
/**
* Process a quick checkout request
* JWT Auth Pro handles authentication before this function is called
*/
function process_quick_checkout_callback($request) {
$user_id = get_current_user_id();
$products = $request->get_param('products');
$billing = $request->get_param('billing');
$shipping = $request->get_param('shipping');
// Create a new order
$order = wc_create_order([
'customer_id' => $user_id,
'status' => 'pending'
]);
// Add products to order
foreach ($products as $product) {
$order->add_product(
wc_get_product($product['id']),
$product['quantity'],
[
'variation' => isset($product['variation_id']) ? wc_get_product($product['variation_id']) : null,
'totals' => [
'subtotal' => $product['subtotal'],
'total' => $product['total']
]
]
);
}
// Set addresses
$order->set_address($billing, 'billing');
$order->set_address($shipping, 'shipping');
// Calculate totals and save
$order->calculate_totals();
$order->save();
return new WP_REST_Response([
'success' => true,
'order_id' => $order->get_id(),
'order_number' => $order->get_order_number(),
'order_key' => $order->get_order_key(),
'status' => $order->get_status()
], 201);
}With JWT Authentication Pro, your WooCommerce API endpoints are automatically secured without additional validation code. The plugin handles all the behind-the-scenes token processing, validation, and user authentication, letting you focus on your business logic.
Use Case #5: Microservices Architecture
A microservices architecture can provide scalability and flexibility for complex WordPress implementations. JWT authentication forms the backbone of secure communication between these services.
The Challenge
Microservices architectures face complex authentication challenges:
- Service-to-service authentication
- Maintaining consistent user context across services
- Securing inter-service communication
- Managing authentication at scale
How JWT Solves It
JWT authentication excels in microservices environments by:
- Providing a decentralized authentication mechanism
- Passing user context between services securely
- Supporting fine-grained access controls
- Enabling consistent authentication across the entire architecture
Implementation Example
Here's a simplified example of microservice communication with JWT Authentication Pro:
includes/microservice-communication.php
<?php
// File: includes/microservice-communication.php
/**
* Class to handle microservice API calls with JWT Auth Pro
*/
class Microservice_API_Client {
/**
* Base URL of the target microservice
*/
private $base_url;
/**
* JWT token for authentication
*/
private $token;
/**
* Constructor
*/
public function __construct($service_url) {
$this->base_url = rtrim($service_url, '/');
// JWT Auth Pro handles obtaining and refreshing tokens automatically
// We just need to request it when needed
}
/**
* Get a token for service-to-service communication
*/
private function ensure_valid_token() {
if ($this->token) {
return $this->token;
}
// Get a service account token from the authentication service
$response = wp_remote_post('https://auth-service.example.com/wp-json/jwt-auth/v1/token', [
'body' => [
'username' => defined('MICROSERVICE_USERNAME') ? MICROSERVICE_USERNAME : 'service_account',
'password' => defined('MICROSERVICE_PASSWORD') ? MICROSERVICE_PASSWORD : '',
],
'timeout' => 15
]);
if (is_wp_error($response)) {
throw new Exception('Failed to get service token: ' . $response->get_error_message());
}
$body = json_decode(wp_remote_retrieve_body($response), true);
if (empty($body['token'])) {
throw new Exception('Invalid authentication response from auth service');
}
$this->token = $body['token'];
return $this->token;
}
/**
* Make an authenticated request to another microservice
*/
public function request($endpoint, $method = 'GET', $data = null) {
$url = $this->base_url . '/' . ltrim($endpoint, '/');
$token = $this->ensure_valid_token();
$args = [
'method' => $method,
'headers' => [
'Authorization' => 'Bearer ' . $token,
'Content-Type' => 'application/json',
],
'timeout' => 30,
];
if ($data && in_array($method, ['POST', 'PUT', 'PATCH'])) {
$args['body'] = json_encode($data);
}
$response = wp_remote_request($url, $args);
if (is_wp_error($response)) {
throw new Exception('Microservice request failed: ' . $response->get_error_message());
}
$status_code = wp_remote_retrieve_response_code($response);
$body = json_decode(wp_remote_retrieve_body($response), true);
// Handle token expiration - JWT Auth Pro makes this simple
if ($status_code === 403 && isset($body['code']) && $body['code'] === 'jwt_auth_invalid_token') {
// Clear token and retry once
$this->token = null;
return $this->request($endpoint, $method, $data);
}
return [
'status' => $status_code,
'body' => $body,
'headers' => wp_remote_retrieve_headers($response)
];
}
/**
* Get data from another microservice
*/
public function get($endpoint, $query_params = []) {
$url = $endpoint;
if (!empty($query_params)) {
$url .= '?' . http_build_query($query_params);
}
$response = $this->request($url, 'GET');
if ($response['status'] >= 200 && $response['status'] < 300) {
return $response['body'];
}
throw new Exception(
'Microservice GET request failed: ' .
($response['body']['message'] ?? 'Unknown error'),
$response['status']
);
}
/**
* Post data to another microservice
*/
public function post($endpoint, $data) {
$response = $this->request($endpoint, 'POST', $data);
if ($response['status'] >= 200 && $response['status'] < 300) {
return $response['body'];
}
throw new Exception(
'Microservice POST request failed: ' .
($response['body']['message'] ?? 'Unknown error'),
$response['status']
);
}
}
/**
* Example usage of the microservice client
*/
function get_user_data_from_user_service($user_id) {
try {
$client = new Microservice_API_Client('https://user-service.example.com/wp-json');
$user_data = $client->get('wp/v2/users/' . $user_id, [
'context' => 'extended',
'_fields' => 'id,name,email,roles,meta'
]);
return $user_data;
} catch (Exception $e) {
error_log('Failed to get user data: ' . $e->getMessage());
return false;
}
}
/**
* Create content on the content service
*/
function create_content_on_content_service($title, $content, $author_id, $type = 'post') {
try {
$client = new Microservice_API_Client('https://content-service.example.com/wp-json');
$result = $client->post('wp/v2/' . $type . 's', [
'title' => $title,
'content' => $content,
'status' => 'publish',
'author' => $author_id
]);
return $result['id'] ?? false;
} catch (Exception $e) {
error_log('Failed to create content: ' . $e->getMessage());
return false;
}
}With JWT Authentication Pro, your microservices can securely communicate with each other without a complex custom authentication code. The plugin automatically handles token management, validation, and user authentication, making it easy to build scalable, distributed WordPress applications.
Note: The code samples provided in this article are simplified examples intended to illustrate concepts and are not production-ready. In a real-world implementation, you must add proper error handling, implement security best practices, and thoroughly test your code before deploying to production.