Life Time Extra Credits Offer

*Add $100 or more to claim

Validity: Nov 24 - Dec 05, 2025

CODE: INSTA41
Claim Your Deal Now
Log In
Get Started
WordPress Plugins
JWT Auth – WordPress JSON Web Token Authentication

JWT Auth – WordPress JSON Web Token Authentication

Create JSON Web Token Authentication in WordPress.
Rating:
5.0
star-rating-1star-rating-2star-rating-3star-rating-4star-rating-5
Active Installations:
6000+
Last Updated:
May 08, 2024
WordPress Version:
5.2 or higher
Tested up to:
6.5.5
Try Demo
Download

Easy JWT Authentication

A simple and convenient way to authenticate your REST API using JSON Web Tokens (JWT). No complex configurations required.

Quick Support

Get your questions answered and report bugs on the WordPress support forum or GitHub issues tracker. Join the Discord channel for faster response.

Seamless Upgrades

Upgrade to v3 smoothly with reduced access token expiry time and improved access requirements for custom REST API routes.

Flexible Configuration

Easily configure the secret key and enable CORS support to enhance the security and functionality of your JWT authentication.

Author’s Site Author Site view

3.0.2

  • Fix: Do not revalidate authentication headers if a valid user was determined already. (#75)
  • Fix: Added debugging timeframe before purging refresh tokens. (#93)
  • Fix: Fixed unnecessary user account lookup for device listing on user profile page. (#84)
  • Fix: Added more granular refresh token validation error messages. (#78)
  • Fix: Added integration for new CORS filter hook rest_allowed_cors_headers in WordPress 5.5.0. (#97)
  • Fix: Updated Guzzle to v7.8.1 (used in tests only). (#112)

3.0.1

  • Updated firebase/php-jwt to 6.3 to address security issue in versions prior to 6.x.

3.0.0

  • New feature: Added support for refresh tokens.
  • New feature: Added automated end-to-end tests using PHPUnit.
  • Breaking change: Reduced default access token lifetime to 10 minutes.
  • Breaking bugfix: All authentication error responses are using the correct HTTP status code 401 (Unauthorized) instead of 403 (Forbidden) now.
  • Breaking change: Removed whitelist. To retain similar functionality, install a separate plugin, such as https://wordpress.org/plugins/disable-rest-api-and-require-jwt-oauth-authentication/

2.1.6

  • Added automated asset updates from GitHub.

2.1.5

  • Removed dev and build files from distribution.

2.1.4

  • Added update warning and information relevant to updating to version 3.

2.1.3

  • Fix some missing composer files in 2.1.2.

2.1.2

  • Updated to fix a number of issues highlighted by wpcs.

2.1.1

  • Updated firebase/php-jwt to 6.3 to address security issue in versions prior to 6.x.

2.1.0

  • It’s possible now to whitelist an endpoint with specific method (GET/POST). See PR #47

2.0.0

  • Breaking change: rename jwt_auth_valid_token_extra filter to jwt_auth_extra_token_check. Please check if you use this filter.
  • Breaking bugfix: the actual http statusCode didn’t follow the response statusCode. Now the actual http statusCode follows the response statusCode.
  • New feature: connected device. Thanks @pesseba.
  • Might be a breaking change: Add WordPress & WC default endpoints to jwt_auth_default_whitelist to prevent error when visiting WordPress admin area.
  • Documentation: prevent misleading example by updating the jwt_auth_whitelist usage.

1.4.2

  • Bugfix: add permission_callback argument since it’s required in WP 5.5

1.4.1

  • Bugfix: the previous /wp-json/wp/v2/* whitelisting didn’t work. It should be /wp-json/wp/v2/ (without the star char).

1.4.0

  • Whitelist /wp-json/wp/v2/* by default. This will prevent the plugin from breaking the default WordPress administration (gutenberg, etc).
  • Bugfix: fix the problem with WordPress subdir installation. See issue.

1.3.0

  • Filter Change: jwt_auth_valid_token_response should only filter the $response array instead of the whole WP_REST_Response. Please check if you use this filter 🙂
  • README update about jwt_auth_whitelist filter usage. That filter should be added directly (without hook) OR inside plugins_loaded. Adding it to init (or after that) will not work.

1.2.0

  • Critical Bugfix: WooCommerce admin breaks. With this change, WooCommerce admin should be good.
  • New Filter: We whitelist some endpoints by default to support common plugin like WooCommerce. These default whitelisted endpoints are change-able via jwt_auth_default_whitelist filter.

1.1.0

  • Support WooCommerce by ignoring /wp-json/wc/ and /wp-json/wc-auth/ namespace. You can use jwt_auth_whitelist filter if you want to whiteist other endpoints. See Whitelisting Endpoints section in the description tab.

1.0.0

  • Filter Change: Rename jwt_auth_token_payload filter to jwt_auth_payload
  • Filter Change: Rename jwt_auth_token_response filter to jwt_auth_valid_credential_response
  • Critical Bugfix: The auth only restricted wp-json/jwt-auth/v1/* endpoints. So endpoints under other namespace were not restricted. With this change, other endpoints are restricted now. If you need to whitelist some endpoints, please read about Whitelisting Endpoints section in the description tab.
  • New Filter: jwt_auth_valid_token_response
  • New Filter: Make possible to whitelist specific endpoints via jwt_auth_whitelist filter.
  • New Filter: Make possible to change the token issuer by providing jwt_auth_iss filter.
  • New Filter: Make possible to change the supported algorithm by providing jwt_auth_alg filter.
  • New Filter: Make possible to change the valid token response by providing jwt_auth_valid_token_response filter.
  • Add support for site with disabled permalink.

0.1.3

  • Add jwt_auth_do_custom_auth filter so that developer can use custom authentication like OTP authentication or any other.

0.1.2

  • Working version.

It simply works!

By maidot on January 31, 2024

Tried other plugins, had problems with them and this one simply works and that's it.

This is a properly developed plugin. Keep it up!

Good Work

By gunberi on September 13, 2023

The simplest and most useful plugin

Perfect Plugin

By Gagan (wp3developers) on August 10, 2023

Works perfect.

Thank You!

Awesome plugin

By bilskirnir on June 29, 2023

Exactly what I was looking for

best jwt auth plugin

By Julian Lang (giulng) on June 29, 2023

works perfect, a lot of useful filters, no advertising or brand prefixes. you can transform your wp to a nice headless backend with this

works great

By kheftel on April 12, 2022

allows me to use JWT authentication with WP REST API on wordpress 5.9.3, with one tweak for a host that strips authentication headers (not the plugin's fault)

good !!

By Ahmed Hnewa (ahmedriyadh) on February 9, 2021

good plugin , but please stay this plugin updated it help me for make authentication on my androis app with wordpress as backend thank you

Great

By dovich on December 9, 2020

Thank You for this fork from old plugin that not supported for a long time. Amazing.

Good

By ness on December 1, 2020

Good

Great. Just works.

By Jesse Sugden (jeswd) on November 15, 2020

No issues with this plugin. It just works.
More Reviews
Try other plugins too!
Simple JWT Login – Allows you to use JWT on REST endpoints.

Simple JWT Login – Allows you to use JWT on REST endpoints.

The main purpose of this plugin is to allow Mobile apps, or other websites to access the content via REST endpoints in a secure way.

Try Demo More Details
JWT Authentication for WP REST API

JWT Authentication for WP REST API

Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.

Try Demo More Details
JWT Auth – WordPress JSON Web Token Authentication

JWT Auth – WordPress JSON Web Token Authentication

Create JSON Web Token Authentication in WordPress.

Try Demo More Details
Author Site Author Site

Try JWT Auth – WordPress JSON Web Token Authentication With InstaWP

Try Demo

Contact Sales

Reach out to us to explore how InstaWP can benefit your business.