JWT Authentication for WordPress

Go to JWT Authentication for WordPress
JWT Authentication for Wordpress banner
11th Aug, 2018

JWT Authentication for WordPress
By Enrique Chavez

Recently I had to make a Cordova application based on WordPress. The rest API part was easy but I had no clue how to setup wp user login. Fortunately this nifty little plugin came to my rescue.


Firstly, you’ll need a good understanding of how JWT(Javascript web tokens) work. Here’s a handy guide on using them.

Let’s get down to it. Install the plugin from the WordPress plugin registry. The plugin takes advantage of the WordPress rest API to create new endpoints from where you can create a token and validate it.

In order to make it work, add this to your root .htaccess file(the one sitting inside the WordPress directory):

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

This will pass the authorization header to WordPress. You’ll also need to add this in your wp-config.php file:

define('JWT_AUTH_CORS_ENABLE', true);

Next, use a rest API tool such as Insomnia or Postman to test if its working. To do this, pass a username and password field as a POST request to <yoursitename>/wp-json/jwt-auth/v1/token. Here’s how I’ve done it.

Using Insomnia to pass credentials to the rest endpoint.
Using Insomnia to pass credentials to the rest endpoint.

That’s about it. Store the token locally on your application and pass it along every request you make to the server. Read the documentation to learn more about passing data to the client, token expiry time, etc.


There is hardly any documentation other than what’s written on the plugin’s registry page. As I said before, you’ll need a solid understanding of how JWTs work before you can get up and running with this plugin. Don’t expect any hand holding, there’s no help page for it in the backend and the documentation is very sparse.

Because of sparse documentation you’re pretty much on your own if you want custom functionality

As far as security is concerned, it uses the Firebase jwt library which is what I would consider production ready. You can always take a peek at the source code to see how it works.


You want JWT auth? This plugin has got you covered. However, I would recommend Auth0’s offering for a more robust setup.


Easy way to setup WordPress logins for SPAs, mobile applications, etc. Sadly there’s hardly any documentation and doing anything beyond the standard rest API stuff will bog you down.


Helpful disclosure

Our works are supported by earning an affiliate commision
when readers choose to purchase a plugin based our reviews.

Leave a Reply

Your email address will not be published. Required fields are marked *