Guide to Using the JWT Authentication for WP REST API Plugin and Securing Your REST API

This time, I want to share a very useful tool that I’m using in the development of an Android application designed to help users schedule their gym workout routines. To connect this app with WordPress and WooCommerce, I’m using the REST API, which requires a secure authentication system. That’s why in this post I’ll show you how to use the JWT Authentication for WP REST API plugin, which allows you to manage authentication efficiently and securely.

The JWT Authentication for WP REST API plugin enables the implementation of a secure authentication system in WordPress using JWT tokens. Ideal for developers working with external or mobile applications, this plugin provides a simple way to authenticate users through the REST API and manage sessions without relying on cookies or traditional login forms. Once configured, it returns a JWT token after a successful login, which can be used to access protected API routes.

First, we need to make sure the plugin is activated. Below, I’ve included an image as a reference to verify its activation from the WordPress admin panel.

Next, it’s necessary to enable the HTTP Authorization header on your server (especially if you’re using shared hosting). To do this, you need to edit the .htaccess file located in the public_html folder of your WordPress installation and add the following code:

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

In our case, we added the following additional line because we are using WPEngine hosting:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

It ended up like this:

The next step is to configure our Secret Key. To do this, we need to open the wp-config.php file located in the public_html folder and add the following line. Make sure to replace "your-top-secret-key" with a unique and secure secret key, which should not be shared with anyone.

define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');

After defining the secret key, we also need to enable CORS support. To do this, in the same wp-config.php file, we add the following line right after the previous one:

define('JWT_AUTH_CORS_ENABLE', true);

It looks like this now:

With these steps completed, everything is now ready to start using the WordPress and WooCommerce REST API with secure JWT authentication. From now on, you’ll be able to make authenticated requests from your application and securely access protected routes.