{"id":254755,"date":"2025-12-11T17:52:58","date_gmt":"2025-12-11T17:52:58","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/jwt-auth-pro-for-wp-rest-api-secure-refresh-tokens\/"},"modified":"2025-12-11T18:02:42","modified_gmt":"2025-12-11T18:02:42","slug":"juanma-jwt-auth-pro","status":"publish","type":"plugin","link":"https:\/\/ar.wordpress.org\/plugins\/juanma-jwt-auth-pro\/","author":14555470,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.2.1","stable_tag":"1.2.1","tested":"6.8.5","requires":"5.6","requires_php":"7.4","requires_plugins":null,"header_name":"JuanMa JWT Auth Pro","header_author":"Juan Manuel Garrido","header_description":"Modern JWT authentication with refresh tokens for WordPress REST API - built for SPAs and mobile apps","assets_banners_color":"737373","last_updated":"2025-12-11 18:02:42","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/github.com\/juanma-wp\/jwt-auth-pro-wp-rest-api","header_plugin_uri":"https:\/\/github.com\/juanma-wp\/jwt-auth-pro-wp-rest-api","header_author_uri":"https:\/\/juanma.codes","rating":0,"author_block_rating":0,"active_installs":0,"downloads":168,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.2.1":{"tag":"1.2.1","author":"juanmaguitar","date":"2025-12-11 18:02:42"}},"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-256x256.jpg":{"filename":"icon-256x256.jpg","revision":3418045,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3420246,"resolution":"1544x500","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.2.1"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3418045,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3418045,"resolution":"2","location":"assets","locale":""},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3418045,"resolution":"3","location":"assets","locale":""}},"screenshots":{"1":"Admin configuration interface","2":"Security settings panel","3":"Token management dashboard","4":"CORS configuration"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[710,38851,23853,600,39819],"plugin_category":[38,54],"plugin_contributors":[252118],"plugin_business_model":[],"class_list":["post-254755","plugin","type-plugin","status-publish","hentry","plugin_tags-authentication","plugin_tags-jwt","plugin_tags-rest-api","plugin_tags-security","plugin_tags-tokens","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-juanmaguitar","plugin_committers-juanmaguitar"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/juanma-jwt-auth-pro\/assets\/icon-256x256.jpg?rev=3418045","icon_2x":"https:\/\/ps.w.org\/juanma-jwt-auth-pro\/assets\/icon-256x256.jpg?rev=3418045","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/juanma-jwt-auth-pro\/assets\/screenshot-1.png?rev=3418045","caption":"Admin configuration interface"},{"src":"https:\/\/ps.w.org\/juanma-jwt-auth-pro\/assets\/screenshot-2.png?rev=3418045","caption":"Security settings panel"},{"src":"https:\/\/ps.w.org\/juanma-jwt-auth-pro\/assets\/screenshot-3.png?rev=3418045","caption":"Token management dashboard"}],"raw_content":"<!--section=description-->\n<p>Unlike basic JWT plugins that use <strong>single long-lived tokens<\/strong>, JWT Auth Pro implements <strong>modern OAuth 2.0 security best practices<\/strong> with short-lived access tokens and secure refresh tokens.<\/p>\n\n<h4>Why JWT Auth Pro?<\/h4>\n\n<p><strong>The Problem with Basic JWT Plugins:<\/strong>\n* Long-lived tokens (24h+) = Higher security risk\n* No refresh mechanism = Tokens live until expiry\n* XSS vulnerable = Tokens stored in localStorage\n* No revocation = Can't invalidate compromised tokens<\/p>\n\n<p><strong>JWT Auth Pro Solution:<\/strong>\n* Short-lived access tokens (1h default) = Minimal attack window\n* Secure refresh tokens = HTTP-only cookies, XSS protected\n* Automatic token rotation = Fresh tokens on each refresh\n* Complete session control = Revoke any user session instantly<\/p>\n\n<h4>Features<\/h4>\n\n<ul>\n<li><strong>Simple JWT Authentication<\/strong> - Clean, stateless token-based auth<\/li>\n<li><strong>HTTPOnly Refresh Tokens<\/strong> - Secure refresh tokens in HTTP-only cookies<\/li>\n<li><strong>Token Rotation<\/strong> - Automatic refresh token rotation for enhanced security<\/li>\n<li><strong>CORS Support<\/strong> - Proper cross-origin request handling<\/li>\n<li><strong>Clean Admin Interface<\/strong> - Simple configuration in WordPress admin<\/li>\n<li><strong>Developer Friendly<\/strong> - Clear endpoints and documentation<\/li>\n<\/ul>\n\n<h4>Security Comparison<\/h4>\n\n\n\n\n  Feature\n  Basic JWT Plugins\n  JWT Auth Pro\n\n\n\n\n  Token Lifetime\n  Long (hours\/days)\n  Short (1 hour)\n\n\n  Refresh Tokens\n  None\n  Secure HTTP-only\n\n\n  XSS Protection\n  Limited\n  HTTP-only cookies\n\n\n  Token Revocation\n  Manual only\n  Automatic rotation\n\n\n  Session Management\n  None\n  Database tracking\n\n\n  Security Metadata\n  None\n  IP + User Agent\n\n\n\n\n<h4>Perfect for:<\/h4>\n\n<ul>\n<li>Single Page Applications (React, Vue, Angular)<\/li>\n<li>Mobile Applications (iOS, Android)<\/li>\n<li>API Integrations (Third-party services)<\/li>\n<li>Headless WordPress (Decoupled architecture)<\/li>\n<\/ul>\n\n<h4>API Endpoints<\/h4>\n\n<ul>\n<li><code>POST \/wp-json\/jwt\/v1\/token<\/code> - Login and get access token<\/li>\n<li><code>POST \/wp-json\/jwt\/v1\/refresh<\/code> - Refresh access token<\/li>\n<li><code>GET \/wp-json\/jwt\/v1\/verify<\/code> - Verify token and get user info<\/li>\n<li><code>POST \/wp-json\/jwt\/v1\/logout<\/code> - Logout and revoke refresh token<\/li>\n<\/ul>\n\n<h3>Security<\/h3>\n\n<ul>\n<li><strong>Stateless Authentication<\/strong> - JWT tokens contain all necessary information<\/li>\n<li><strong>HTTPOnly Cookies<\/strong> - Refresh tokens stored securely, inaccessible to JavaScript<\/li>\n<li><strong>Token Rotation<\/strong> - Refresh tokens automatically rotate on use<\/li>\n<li><strong>Configurable Expiration<\/strong> - Set custom expiration times<\/li>\n<li><strong>IP &amp; User Agent Tracking<\/strong> - Additional security metadata<\/li>\n<\/ul>\n\n<h3>Support<\/h3>\n\n<p>For support and documentation, visit: https:\/\/github.com\/juanma-wp\/jwt-auth-pro-wp-rest-api<\/p>\n\n<h3>Privacy Policy<\/h3>\n\n<p>This plugin stores user session data including IP addresses and user agent strings for security purposes. This data is used solely for authentication and security monitoring.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin files to <code>\/wp-content\/plugins\/<\/code> directory<\/li>\n<li>Activate the plugin through the 'Plugins' screen in WordPress<\/li>\n<li>Go to Settings \u2192 JWT Auth Pro to configure the plugin<\/li>\n<\/ol>\n\n<h4>Configuration<\/h4>\n\n<p><strong>Via wp-config.php (Recommended for production):<\/strong>\n    <code>php\ndefine('JWT_AUTH_PRO_SECRET', 'your-super-secret-key-here');\ndefine('JWT_AUTH_PRO_ACCESS_TTL', 3600);      \/\/ 1 hour\ndefine('JWT_AUTH_PRO_REFRESH_TTL', 2592000);  \/\/ 30 days<\/code><\/p>\n\n<p><strong>Via WordPress Admin:<\/strong>\nGo to Settings \u2192 JWT Auth Pro to configure:\n* JWT Secret Key\n* Token expiration times\n* CORS allowed origins\n* Debug logging<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id='how%20is%20this%20different%20from%20other%20jwt%20plugins%3F'><h3>How is this different from other JWT plugins?<\/h3><\/dt>\n<dd><p>JWT Auth Pro implements modern security best practices with short-lived access tokens and secure refresh tokens, unlike basic JWT plugins that use long-lived tokens vulnerable to XSS attacks.<\/p><\/dd>\n<dt id='is%20https%20required%3F'><h3>Is HTTPS required?<\/h3><\/dt>\n<dd><p>HTTPS is strongly recommended for HTTPOnly cookies to work securely, especially in production environments.<\/p><\/dd>\n<dt id='can%20i%20use%20this%20with%20mobile%20apps%3F'><h3>Can I use this with mobile apps?<\/h3><\/dt>\n<dd><p>Yes! JWT Auth Pro is designed specifically for modern applications including mobile apps, SPAs, and API integrations.<\/p><\/dd>\n<dt id='how%20do%20i%20revoke%20a%20user%27s%20session%3F'><h3>How do I revoke a user's session?<\/h3><\/dt>\n<dd><p>You can revoke individual user sessions through the admin interface or programmatically using the provided API endpoints.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<li>JWT authentication with access and refresh tokens<\/li>\n<li>HTTPOnly cookie support for secure refresh tokens<\/li>\n<li>Automatic token rotation<\/li>\n<li>CORS configuration<\/li>\n<li>Admin interface for plugin configuration<\/li>\n<li>Database session tracking<\/li>\n<li>IP and User Agent metadata for enhanced security<\/li>\n<\/ul>","raw_excerpt":"Modern JWT authentication with refresh tokens - built for SPAs and mobile apps with enterprise-grade security.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/254755","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=254755"}],"author":[{"embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/juanmaguitar"}],"wp:attachment":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=254755"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=254755"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=254755"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=254755"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=254755"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=254755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}