WordPress JWT Authentication

Auth0 provides a plugin to enable JWT authentication for your APIs. It is compatible with any API that uses the determine_current_user function to retrieve the logged in user (such as WP REST API).

Installation

You can install the plugin using either of the following methods:

  1. Install WordPress JWT Authentication from the WordPress Store;
  2. Download the zip file from WordPress JWT Authentication and upload the wp-jwt-auth folder to the /wp-content/plugins/ directory your WordPress installation.

After installation, activate the plugin through the Plugins menu in WordPress.

Configure the Plugins' Settings

After you've activated your plugin, provide the following values for your Auth0 account:

  • Aud: Usually your Client Id. Verifies that the token was intended for you.
  • Secret: Your Client Secret. Verifies the token signature.
  • Base64 Secret Encoded: If enabled, encodes the secret in based64.
  • User Repository: Empty by default. If empty, the plugin checks for a user whose User Property matches the JWT Attribute defined in each field. You can create a custom User Repository by implementing a static method called getUser to receive the decoded JWT and return a WP_User instance.

Integration with the Auth0 WordPress plugin

If you've also installed and enabled the latest version of the Auth0 WordPress Plugin, you can opt to configure the Auth0 WordPress plugin automatically, which sets your client id, client secret and the Auth0 User Repository.

Authenticating requests

To authenticate a request using JWT, add an Authorization header to the request:

Authorization: Bearer YOUR-TOKEN

for example:

Authorization: Bearer eyJhbGciOiJIUzIsNiIsInR5cCI6IkpXVCJ9.
eyJjb250ZW50IjoiVGhpcyBpcyB5b3VyIHVzZXIgSldUIHByb3ZpZGVkIG
J5IHRoZSBBdXRoMCBzZXJ2rXIifQ.b47GoWoY_5n4jIyGghPTLFEQtSegn
Vydcvl6gpWNeUE

Resources