JWT Authentication
Trouble with JWT authentication?
What are the system requirements for JWT Authentication?
What are the system requirements for JWT Authentication?
You’ll need to configure a secret key in your
wp-config.php file and ensure your server has HTTP Authorization Header enabled. See the Setup Guide for information.How does token refresh mechanism work?
How does token refresh mechanism work?
When you authenticate, you receive both an access token and a refresh token. The access token is used for API requests and expires after a configurable period (default 10 days).When it expires, you can use the refresh token (valid for 30 days by default) to obtain a new access token without re-authenticating with username and password.
How do I handle CORS in my application?
How do I handle CORS in my application?
CORS is handled at the core level. Please see CORS guide for more information.
What happens to tokens when a user changes their password or email?
What happens to tokens when a user changes their password or email?
By default, all tokens are automatically revoked when a user changes their password or email. This behavior can be customized using filters.
What signing algorithms are supported?
What signing algorithms are supported?
The plugin supports multiple signing algorithms including
HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, and PS512.You can choose and configure your preferred algorithm through the filters.My server uses a static IP address, what can I do?
My server uses a static IP address, what can I do?
If your having issues matching IP address due to server configuration, perhaps force the IP to the static IP address your server provides.
We use a fixed custom user agent so authentication is failing.
We use a fixed custom user agent so authentication is failing.
Perhaps filter the device to your specific user agent. That way it always matches.
How can I customize token claims and validation rules?
How can I customize token claims and validation rules?
You can use the filters to modify token claims, lifetime and data.
How can I create, view or list JWT tokens?
How can I create, view or list JWT tokens?
There are are WP-CLI commands strictly designed to help with your development. See Cli-Reference for commands.
Why would the token no longer be valid when it hasn't expired yet?
Why would the token no longer be valid when it hasn't expired yet?
In short: The most obvious would be that the user IP address has changed.Long answer: It is a common issue with JWT tokens and can be resolved by implementing a token validation and refresh flow.When a user has either moved location or simply switched their networks at some point. Your site/app is going to experience authentication failure on the next request due to the fact the token is no longer valid.This is a security feature of JWT tokens to prevent replay attacks.