JWT Authentication for WordPress

Firstly, you’ll need a good understanding of how JWT(Javascript web tokens) work. Here’s a handy guide on using them.

Let’s get down to it. Install the plugin from the WordPress plugin registry. The plugin takes advantage of the WordPress rest API to create new endpoints from where you can create a token and validate it.

In order to make it work, add this to your root .htaccess file(the one sitting inside the WordPress directory):

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

This will pass the authorization header to WordPress. You’ll also need to add this in your wp-config.php file:

define('JWT_AUTH_CORS_ENABLE', true);

Next, use a rest API tool such as Insomnia or Postman to test if its working. To do this, pass a username and password field as a POST request to <yoursitename>/wp-json/jwt-auth/v1/token. Here’s how I’ve done it.

That’s about it. Store the token locally on your application and pass it along every request you make to the server. Read the documentation to learn more about passing data to the client, token expiry time, etc.

There is hardly any documentation other than what’s written on the plugin’s registry page. As I said before, you’ll need a solid understanding of how JWTs work before you can get up and running with this plugin. Don’t expect any hand holding, there’s no help page for it in the backend and the documentation is very sparse.

Because of sparse documentation you’re pretty much on your own if you want custom functionality

As far as security is concerned, it uses the Firebase jwt library which is what I would consider production ready. You can always take a peek at the source code to see how it works.

You want JWT auth? This plugin has got you covered. However, I would recommend Auth0’s offering for a more robust setup.