Hello there!

Need Help? We are right here!

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

Your Contact E-mail

What are you looking for

How can we help you?

JWT Authentication

A JWT technically is a mechanism to verify the owner of some JSON data. It’s an encoded string, which is URL safe, that can contain an unlimited amount of data (unlike a cookie), and it’s cryptographically signed. When a server receives a JWT, it can guarantee the data it contains can be trusted because it’s signed by the source. No middleman can modify a JWT once it’s sent.

JWT can be signed and validated using two algorithms - HSA and RSA.

In every REST API request it should contain a Authorization Header or you can set a custom Header which will contain a JWT Token. So, whenever a client application will make a request to get resources it must contain the Header which have a Valid JWT Token.

Token Request

You don't have to make a JWT token, you can get the JWT Token by making a request to WordPress REST API Authentication plugin. You can check the sample request to get token below.

Sample Request

    Request: POST /wp-json/api/v1/token
    Body:
    username = < wordpress_username >
    password = < wordpress_password >

cURL
Postman

curl -d "username=<wordpress_username>&password=<wordpress_password>" -X POST http://<wp_base_url>/wp-json/api/v1/token

Click here to download POSTMAN collection export

Success Response

Code	Status	Description
200	SUCCESS	You will get the JWT Token in the response. Example model: { "token_type":"Bearer", "iat":1572861717, "expires_in":1572865317, "jwt_token":"HEADER.PAYLOAD.SIGNATURE", }

Error Response

Code	Error	Description
400	INVALID_CREDENTIALS	You will get this error when either username or password is incorrect. Example Model: { "status":"error", "error":"INVALID_CREDENTIALS", "code":"400", "error_description":"Invalid username or password." }
400	BAD_REQUEST	You will get this error whenever you have missed any parameter to send in the request. Example Model: { "status":"error", "error":"BAD_REQUEST", "code":"400", "error_description":"Invalid request." }

Resource Request

Once you get the jwt_token, you can use it to request the access to the WordPress site as shown below.

Sample Request

    Request: GET /wp-json/wp/v2/posts
    Header: Authorization : Bearer < jwt_token >

The Header is explained below.

Authorization : The HTTP Authorization request header contains the credentials or token type and token value to authenticate a user agent with a server, usually after unsuccessful authentication the server has responded with a 401 Unauthorized status.
Bearer < jwt_token > : The Bearer < jwt_token > is created by the Authentication server. When a client application request the authentication server then server authenticate that token and give response to client application accordingly.

cURL
Postman

curl -H "Authorization:Bearer < jwt_token >" -X GET http://<wp_base_url>/wp-json/wp/v2/posts

Click here to download POSTMAN collection export

The server replies with the requested data as the members of a JSON object.

Success Response

Code	Status	Description
200	SUCCESS	Example model: [{ "id":1, "guid":{ "rendered":"http://<wp_base_url>/?p=1" }, "slug":"hello-world", "status":"publish", "type":"post", "link":"http://<wp_base_url>/hello-world/", "title":{ "rendered":"Hello World" }, "content":{ "rendered":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start writing!<\/p>", "protected":false },... }]

Error Response

Code	Error	Description
400	SEGMENT_FAULT	You will get this error when you have put an incorrect JWT format. Example Model: { "status":"error", "error":"SEGMENT_FAULT", "code":"400", "error_description":"Incorrect JWT Format." }
401	INVALID_SIGNATURE	You will get this error whenever your JWT signature is not valid. Example Model: { "status":"error", "error":"INVALID_SIGNATURE", "code":"401", "error_description":"JWT Signature is invalid." }
401	MISSING_AUTHORIZATION_HEADER	You will get this error whenever you don't send Header in the API request or It was removed by your server due to some reasons. Example Model: { "status":"error", "error":"MISSING_AUTHORIZATION_HEADER", "code":"401", "error_description":"Authorization header not received. Either authorization header was not sent or it was removed by your server due to security reasons." } NOTE - This error may occur because of server environment, your server may removed your Authorization header due to security reasons. - If you are using Apache server then put the below line in your htaccess file after the RewriteBase. RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.) RewriteRule . - [e=HTTP_AUTHORIZATION:%1] - If you are using NGINX server then put the below line in your conf file. add_header Access-Control-Allow-Headers "Authorization";
400	INVALID_AUTHORIZATION_HEADER_TOKEN_TYPE	You will get this error whenever you send the Authorization header but in header you are sending the wrong token type. Example Model: { "status":"error", "error":"INVALID_AUTHORIZATION_HEADER_TOKEN_TYPE", "code":"400", "error_description":"Authorization header must be type of Bearer Token." }

JWT Authentication
- JWT Authentication
Token Request
Resource Request