How to: Make JWT-authenticated requests to the WordPress API

This is not really a question but a guide on how to make authenticated requests to the WordPress API using JWT. I’m writing this as a reminder to myself and for those who may need some help with the same topic.


Why JWT authentication

I’m building a site that uses WordPress as the back-end, and a React+Redux app as the front-end, so I’m pulling all the content in the front-end by making requests to the WordPress API. Some requests (mainly, POST requests) must be authenticated, which is when I came across JWT.

What we need

To use JWT authentication with WordPress, we first need to install the JWT Authentication for WP REST API plugin. As is explained in the plugin’s instructions, we also need to modify some core WordPress files. In particular:

In the .htaccess file included in the WordPress installation’s root folder, we need to add the following lines:

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

In the wp-config.php file, also included in the WordPress installation’s root folder, we need to add these lines:

define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key'); // Replace 'your-top-secret-key' with an actual secret key.
define('JWT_AUTH_CORS_ENABLE', true);

Testing to see if JWT is available

To verify that we can now use JWT, fire up Postman and make a request to the WordPress API’s default ‘index’:

A few new endpoints, like /jwt-auth/v1 and /jwt-auth/v1/token should have been added to the API. If you can find them in the response to the above request, it means JWT is now available.

Getting the JWT token

Let’s stay in Postman for the moment, and let’s request a token to the WordPress API:

The response will contain the JWT token, which is an encrypted key that looks something like this:


Making an authenticated request

Let’s try to change the title of a post with an ID of 300 as an example of an authenticated request with JWT.

In Postman, choose POST as the method and type the following endpoint:

Choose No Auth in the Authorization tab, and add the following in the Headers tab:

'Content-type': 'application/json', 
'Authorization': 'Bearer jwtToken' // Replace jwtToken with the actual token (the encrypted key above)

Finally, in the Body tab, select the raw and JSON (application/json) options, then in the editor right below the options type the following:

{ "title": "YES! Authenticated requests with JWT work" }

Now you can hit SEND. Look in the response tab with all the data about the post that we requested: the value for the title key should now be YES! Authenticated requests with JWT work

Leave a Comment