JSON Web Tokens are an open and standard (RFC 7519) way for you to represent your user’s identity securely during a two-party interaction. That is to say, when two systems exchange data you can use a JSON Web Token to identify your user without having to send private credentials on every request.
This blog post covers using JSON Web Tokens (JWT) authentication support with the JWT Authentication for JSON API User Plus plugin for REST calls to WordPress website, and examples screenshots sending requests to the API using Postman.
JSON API and User Plus WordPress Plugins provided WordPress user authentication with cookie and other social accounts such a Facebook and Google with fb_connect and google_connect endpoints via REST call. Recently a new method of authentication has been added in the User Plus plugin, and that is JWT. JSON Web Token (JWT) Authentication allows you to do REST API authentication via token. It is a simple, non-complex, and easy to use.
1. generate_jwt Endpoint
This endpoint is used to generate JSON Web Token for the user for JSON API Plugin for WordPress. This token is used for user authentication throughout the user related endpoints.
Generated JWT is valid for 14 days.
Optional ‘seconds’ var can be used to limit the duration. If provided, generated token will be valid for that many seconds, otherwise default is for 14 days.
Example for valid jwt for 1 minute:
You can can also submit the data using JSON format. Please see following examples of sending requests using Postman
Post method values screenshot:
Post method raw JSON values screenshot:
2. validate_jwt Endpoint
validate_jwt endpoint allows you to verify valid JSON Web Token JWT. The generated token will include user cookie, ID, and username, apart from expiry and domain and other information. In addition to the token signature verification, this end point will also verify if the cookie is valid or not. Internally, cookie will be used to identify to user.
There are three ways you can send the JWT to the endpoint:
- With standard Post method
- With the header Authorization: Bearer Token
- With the JSON raw body data format
Please see Postman screenshot for all three requests.
With standard Post method variable:
With the header Authorization: Bearer Token:
With the JSON raw body data format:
3. Using JWT as replacement of cookie variable
Since cookie var is being used in all those endpoints where user authentication is required, JWT can also be used if you do not want to use cookie. This is valid for all endpoints where cookie is defined as required. Internally, when the JWT is received via any of the above three mentioned ways, it is decoded, signature is verified and expiry is checked and it all is well, and cookie value is used for user authentication after cookie validation, so it is quite secure.
For example, get_user_meta endpoint requires cookie value, but you can pass on jwt and it will automatically extract cookie form it and use it for user authentication. Please see the following screenshot:
This endpoint is used to get user meta. JSON Web Token jwt can be sent via normal variable with POST request or sent via bearer authorisation header.
Sending JWT with header Authorisation:
This update has added more options for you to authenticate user via REST call using JSON API User Plus plugin for WordPress websites and mobile apps.
Hope that helps.