How to: Make JWT-authenticated requests to the WordPress API

Why JWT authentication

I’m building a site that uses WordPress as the back-end, and a React+Redux app as the front-end, so I’m pulling all the content in the front-end by making requests to the WordPress API. Some requests (mainly, POST requests) must be authenticated, which is when I came across JWT.

What we need

To use JWT authentication with WordPress, we first need to install the JWT Authentication for WP REST API plugin. As is explained in the plugin’s instructions, we also need to modify some core WordPress files. In particular:

In the .htaccess file included in the WordPress installation’s root folder, we need to add the following lines:

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

In the wp-config.php file, also included in the WordPress installation’s root folder, we need to add these lines:

define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key'); // Replace 'your-top-secret-key' with an actual secret key.
define('JWT_AUTH_CORS_ENABLE', true);

Testing to see if JWT is available

To verify that we can now use JWT, fire up Postman and make a request to the WordPress API’s default ‘index’:

http://example.com/wp-json/

A few new endpoints, like /jwt-auth/v1 and /jwt-auth/v1/token should have been added to the API. If you can find them in the response to the above request, it means JWT is now available.

Getting the JWT token

Let’s stay in Postman for the moment, and let’s request a token to the WordPress API:

http://example.com/wp-json/jwt-auth/v1/token

The response will contain the JWT token, which is an encrypted key that looks something like this:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODg4OFwvZm90b3Jvb20tbmV4dCIsImlhdCI6MTUyMjU5NzQ1MiwibmJmIjoxNTIyNTk3NDUyLCJleHAiOjE1MjMyMDIyNTIsImRhdGEiOnsidXNlciI6eyJpZCI6IjEifX19.hxaaT9iowAX1Xf8RUM42OwbP7QgRNxux8eTtKhWvEUM

Making an authenticated request

Let’s try to change the title of a post with an ID of 300 as an example of an authenticated request with JWT.

In Postman, choose POST as the method and type the following endpoint:

http://example.com/wp-json/wp/v2/posts/300

Choose No Auth in the Authorization tab, and add the following in the Headers tab:

'Content-type': 'application/json', 
'Authorization': 'Bearer jwtToken' // Replace jwtToken with the actual token (the encrypted key above)

Finally, in the Body tab, select the raw and JSON (application/json) options, then in the editor right below the options type the following:

{ "title": "YES! Authenticated requests with JWT work" }

Now you can hit SEND. Look in the response tab with all the data about the post that we requested: the value for the title key should now be YES! Authenticated requests with JWT work

Related Posts:

  1. WordPress Rest API: How do we validate with our custom API key?
  2. How to Authenticate WP REST API with JWT Authentication using Fetch API
  3. authentication issue with rest api – rest_cannot_create
  4. Can I authenticate with both WooCommerce consumer key and JWT?
  5. WP REST API: check if user is logged in
  6. How to login to WordPress site using basic authentication HTTP headers?
  7. Can we access the REST request parameters from within the permission_callback to enforce a 401 by returning false?
  8. WordPress REST API “rest_authentication_errors” doesn’t work external queries?
  9. Can’t GET draft posts via REST API from headless frontend
  10. Create Session with JWT
  11. WP REST API GET Requests require authentication
  12. current_user_can(‘administrator’) returns false when I’m logged in
  13. Authenticating with REST API
  14. Make authorization mandatory on custom routes
  15. WP REST API – Nonce passes wp_verify_nonce even after logout
  16. How to force JWT auth for default GET endpoints of WordPress rest api?
  17. REST API: best place to set current user for JWT auth?
  18. WordPress + REST API v2 and private pages Load by slug
  19. REST API authentication for a plugin
  20. PHP: authenticate for a REST request?
  21. Rest API basic auth not working
  22. Authenticate current user to REST API
  23. Rest API: wp_verify_nonce() fails despite receiving correct nonce value
  24. Getting 401 from ajax using an application password
  25. How to connect android app with WordPress website?
  26. WordPress REST API calls that depend on the WordPress User
  27. WordPress HTTP API NTLM Authentication
  28. Advanced Access Manager: RESTful endpoint to refresh token
  29. Best Authetication between REST API and Mobile App
  30. Log in user using WordPress REST API
  31. Secure WordPress API, how?
  32. wp_nonce vs jwt
  33. register/login api
  34. How can I secure my custom rest api endpoint or add under a already existing rest group
  35. Register rest field authentication with REST API
  36. REST API Integration without user account?
  37. WP REST API with Basic Auth at target website
  38. Cant POST with REST API on WordPress
  39. REST API – Authentication/Logon security
  40. custom REST endpoints and application passwords
  41. wordpress rest api authentication failed
  42. Getting user meta data from WP REST API
  43. how to authenticate for the REST API from a plugin and from command line
  44. Increase per_page limit in REST API
  45. Can’t send emails through REST API
  46. Rest API authentication issue when called from fetch request in bundle.js
  47. WordPress Gutenberg get page template value when post updated?
  48. WP Rest API convert permalink to post ID for fetch
  49. How to update custom meta fields with rest api?
  50. Formating content rendered from wordpress REST API as JSON and not HTML
  51. Rest API and Custom Fields
  52. How to filter users on custom meta fields in WP JSON v2?
  53. How can I return an image from a custom REST API endpoint?
  54. WP Rest API: Get User by Email
  55. Gutenberg Custom Block Getting All Posts
  56. Check Password Strength using WordPress API
  57. Send request to WordPress REST API
  58. Request to REST endpoint works fine in browser and curl, but fails from WP_REST_Request
  59. WP REST api.wordpress.org discovery
  60. Rest API in integration tests – filtering by slug not working?
  61. How to hook into “register_rest_field” to modify the behavior of a custom field?
  62. How do you format the set_body option for WP_Rest_Request?
  63. featured image not found in json from wp rest api
  64. How to enable the view of revisions of post in WordPress Api for custom post type?
  65. Problem on creating custom endpoints for REST
  66. is it possible to filter a rest api endpoint by using a registered rest field?
  67. rendering view in backbone
  68. Update a post based on results from GET request to another server
  69. WP REST API can’t set post tags
  70. Manipulating/view postmeta remotely
  71. WP API post__not_in is not working
  72. Check authentication credentials using WP REST API
  73. WordPress REST API V2: how to get list of all posts?
  74. How to get data from /wp-json/wp/v2/users/me
  75. WordPress REST API parameters are not affecting a response
  76. Update meta_value in wp_postmeta using API
  77. WordPress plugin with CORS
  78. REST API – Allow /users endpoint depending on a custom capability
  79. “Error: cURL error 60: SSL certificate problem: certificate has expired” when create product in WooCommerce via REST API
  80. How to use WordPress REST api to login a user?
  81. Can I overwrite default WordPress Json API For no more pages text
  82. Create User with Profile and Cover Images using REST API
  83. Wrong encoding of dynamic block properties problem when loggen in as editor
  84. Media gallery images url instead of ID on WP API
  85. What’s the right way to validate JSON data coming from an AJAX POST request?
  86. Need wp rest api for featured video post
  87. WordPress API “code”:”rest_no_route” with Custom Route
  88. WordPress Update Role using API Cross site
  89. Rest API. Post content
  90. REST api header link href
  91. Error rest_post_invalid_page_number trying to call Rest API
  92. WordPress & React Native
  93. update meta data (like view counter) by rest-api
  94. Rest API hook ‘rest_insert_post’ not returning request object
  95. How Can I keep password protected posts in the json requests but not on frontend queries?
  96. WP_REST_Request::get_json_params() Parsing null as Zero
  97. Script tag in string in wordpress rest api body to create post
  98. Securing REST API wp-json/wp/v2/users endpoint
  99. Customizer Changeset, Sidebar and Rest API Custom Endpoints
  100. WordPress REST API won’t allow me to filter by author ID when called internally, works externally in Postman

Leave a Comment