JWT Authentication

A JWT technically is a mechanism to verify the owner of some JSON data. It’s an encoded string, which is URL safe, that can contain an unlimited amount of data (unlike a cookie), and it’s cryptographically signed. When a server receives a JWT, it can guarantee the data it contains can be trusted because it’s signed by the source. No middleman can modify a JWT once it’s sent.

JWT can be signed and validated using two algorithms - HSA and RSA.

In every REST API request it should contain a Authorization Header or you can set a custom Header which will contain a JWT Token. So, whenever a client application will make a request to get resources it must contain the Header which have a Valid JWT Token.

Token Request

You don't have to make a JWT token, you can get the JWT Token by making a request to WordPress REST API Authentication plugin. You can check the sample request to get token below.

Sample Request
    Request: POST /wp-json/api/v1/token
    Body:
    username = < wordpress_username >
    password = < wordpress_password >
  • cURL
  • Postman
curl -d "username=<wordpress_username>&password=<wordpress_password>" -X POST http://<wp_base_url>/wp-json/api/v1/token  

Click here to download POSTMAN collection export

Success Response
Code Status Description
200 SUCCESS You will get the JWT Token in the response.

Example model:
{
  "token_type":"Bearer",
  "iat":1572861717,
  "expires_in":1572865317,
  "jwt_token":"HEADER.PAYLOAD.SIGNATURE",
}
Error Response
Code Error Description
400 INVALID_CREDENTIALS You will get this error when either username or password is incorrect.

Example Model:
{
  "status":"error",
  "error":"INVALID_CREDENTIALS",
  "code":"400",
  "error_description":"Invalid username or password."
}
400 BAD_REQUEST You will get this error whenever you have missed any parameter to send in the request.

Example Model:
{
  "status":"error",
  "error":"BAD_REQUEST",
  "code":"400",
  "error_description":"Invalid request."
}

Resource Request

Once you get the jwt_token, you can use it to request the access to the WordPress site as shown below.

Sample Request
    Request: GET /wp-json/wp/v2/posts
    Header: Authorization : Bearer < jwt_token >

The Header is explained below.

  • Authorization : The HTTP Authorization request header contains the credentials or token type and token value to authenticate a user agent with a server, usually after unsuccessful authentication the server has responded with a 401 Unauthorized status.

  • Bearer < jwt_token > : The Bearer < jwt_token > is created by the Authentication server. When a client application request the authentication server then server authenticate that token and give response to client application accordingly.

  • cURL
  • Postman
curl -H "Authorization:Bearer < jwt_token >" -X GET http://<wp_base_url>/wp-json/wp/v2/posts 

Click here to download POSTMAN collection export

The server replies with the requested data as the members of a JSON object.

Success Response
Code Status Description
200 SUCCESS Example model:
[{
  "id":1,
  "guid":{
  "rendered":"http://<wp_base_url>/?p=1"
  },
  "slug":"hello-world",
  "status":"publish",
  "type":"post",
  "link":"http://<wp_base_url>/hello-world/",
  "title":{
  "rendered":"Hello World"
  },
  "content":{
  "rendered":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start writing!<\/p>",
  "protected":false
  },...
}]
Error Response
Code Error Description
400 SEGMENT_FAULT You will get this error when you have put an incorrect JWT format.

Example Model:
{
  "status":"error",
  "error":"SEGMENT_FAULT",
  "code":"400",
  "error_description":"Incorrect JWT Format."
}
401 INVALID_SIGNATURE You will get this error whenever your JWT signature is not valid.

Example Model:
{
  "status":"error",
  "error":"INVALID_SIGNATURE",
  "code":"401",
  "error_description":"JWT Signature is invalid."
}
401 MISSING_AUTHORIZATION_HEADER You will get this error whenever you don't send Header in the API request or It was removed by your server due to some reasons.

Example Model:
{
  "status":"error",
  "error":"MISSING_AUTHORIZATION_HEADER",
  "code":"401",
  "error_description":"Authorization header not received. Either authorization header was not sent or it was removed by your server due to security reasons."
}

NOTE - This error may occur because of server environment, your server may removed your Authorization header due to security reasons.

- If you are using Apache server then put the below line in your htaccess file after the RewriteBase.
  RewriteEngine On
  RewriteCond %{HTTP:Authorization} ^(.*)
  RewriteRule .*
- [e=HTTP_AUTHORIZATION:%1]

- If you are using NGINX server then put the below line in your conf file.
  add_header Access-Control-Allow-Headers "Authorization";
400 INVALID_AUTHORIZATION_HEADER_TOKEN_TYPE You will get this error whenever you send the Authorization header but in header you are sending the wrong token type.

Example Model:
{
  "status":"error",
  "error":"INVALID_AUTHORIZATION_HEADER_TOKEN_TYPE",
  "code":"400",
  "error_description":"Authorization header must be type of Bearer Token."
}