Authentication

Most endpoints require authentication using JWT tokens. To authenticate requests, include the token in the Authorization header:

Authorization: Bearer your-jwt-token

Base URL

The base URL for all API endpoints is your WordPress site’s REST API URL:

https://your-site.com/wp-json/jwt-auth/v1

Response Format

All responses are returned in JSON format. Successful responses include the requested data, while error responses follow this structure:

{
  "code": "error_code",
  "message": "Human readable error message",
  "data": {
    "status": 403
  }
}

Rate Limiting

API requests are subject to rate limiting based on your JWT Auth Pro settings. The current limits are:

  • Authentication attempts: 5 per minute per IP
  • Token validation: 60 per minute per token
  • Token refresh: 10 per minute per refresh token
  • Token revocation: 10 per minute per token

When rate limiting is enabled, the following headers are included in API responses:

X-RateLimit-Limit: 60        # Maximum requests allowed
X-RateLimit-Remaining: 45    # Remaining requests in current window
X-RateLimit-Reset: 1707411600    # Unix timestamp when the rate limit resets
Retry-After: 120             # Seconds to wait when rate limit is exceeded (only on 429 responses)

Rate Limit Exceeded

When you exceed the rate limit, you’ll receive a 429 (Too Many Requests) response:

{
  "code": "jwt_auth_rate_limited",
  "message": "Rate limit exceeded",
  "data": {
    "status": 429
  }
}

Rate limiting can be configured or disabled through the WordPress admin interface or using filters. See the Configuration and Filters documentation for more details.