All settings can be managed through the WordPress admin interface at Settings > JWT Auth Pro. Let’s explore the available configuration options.
Token Settings
Configure how JWT tokens are generated and managed:
Available Options:
- JWT Expiration: Control how long access tokens remain valid (default: 7 days)
- Refresh Token Expiration: Set the lifespan of refresh tokens (default: 30 days)
- Signing Algorithm: Choose the algorithm for token signing (default: HS256)
- CORS Support: Enable/disable CORS for cross-origin requests
User Settings
Control token behavior based on WordPress user events. These settings are active and trigger automatically when the corresponding user action occurs.
As of v0.2.3, all user lifecycle hooks are registered and functional. If you had these settings enabled on a previous version, they will now take effect after updating.
Revoke on Password Change
Automatically revoke all tokens when a user changes their password (default: true).
Triggers on the WordPress profile_update, password_reset, and after_password_reset hooks. This covers both admin-initiated password changes and user-initiated password resets.
Revoke on Email Change
Invalidate all tokens when a user updates their email address (default: true).
Triggers on the WordPress profile_update hook. Note that WordPress requires email change confirmation via a link sent to the new address — the revocation fires only after the user confirms the change and the profile is updated.
Revoke on Role Change
Revoke all tokens when a user’s role is modified (default: true).
Triggers on the WordPress set_user_role hook. This ensures that any change in permissions immediately invalidates existing sessions.
Delete on User Delete
Remove all tokens and associated analytics records when a user is deleted (default: true).
Triggers on the WordPress delete_user hook. Unlike the other settings which revoke tokens (marking them inactive), this setting deletes tokens and their associated analytics data entirely to prevent orphaned database rows.
Data Management
Configure how JWT Auth Pro handles data:
- Analytics Retention: Control how long authentication analytics are stored (options: 30, 90, 180, 360 days, or Forever)
Setting Analytics Retention to “Forever” may significantly increase your database size over time, depending on your site’s traffic and authentication activity. Consider using a finite retention period for optimal performance.
- Delete on Deactivation: Choose whether to remove all plugin data upon deactivation (default: true)
When Delete on Deactivation is enabled, all plugin data will be permanently deleted upon plugin deactivation. This action cannot be undone, and data can only be recovered if you have a database backup prior to deactivation.
- Anonymize IP: Option to anonymize IP addresses in analytics data (default: false)
Rate Limiting
Configure rate limiting for API endpoints:
- Enable Rate Limiting: Turn rate limiting on/off (default: true)
- Max Requests: Maximum number of requests allowed in the time window (default: 60)
- Window Minutes: Time window for rate limiting in minutes (default: 1)
Rate limit headers included in responses, this can be diasable via Filters.
X-RateLimit-Limit: Maximum requests allowed
X-RateLimit-Remaining: Remaining requests in current window
X-RateLimit-Reset: Timestamp when the rate limit resets
Retry-After: Seconds to wait when rate limit is exceeded
Advanced Configuration
Using RSA Keys (RS256)
By default, JWT Auth Pro uses HS256 (HMAC SHA-256) for token signing. You can switch to RS256 (RSA SHA-256) for enhanced security, especially in distributed systems.
1. Generate RSA Keys
First, generate a private/public key pair:
# Generate private key
openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048
# Generate public key
openssl rsa -pubout -in private.key -out public.key
functions.php or a custom plugin:
// Set the algorithm to RS256
add_filter('jwt_auth_algorithm', function($algorithm) {
return 'RS256';
});
// Set the private key for token signing
add_filter('jwt_auth_secret_private_key', function($key) {
return file_get_contents(ABSPATH . 'path/to/private.key');
});
// Set the public key for token validation
add_filter('jwt_auth_secret_public_key', function($key) {
return file_get_contents(ABSPATH . 'path/to/public.key');
});
Store your keys securely and never commit them to version control. Consider using environment variables or WordPress constants in wp-config.php to store the key paths.
3. Key Storage Example
A secure way to configure keys using constants:
// In wp-config.php
define('JWT_AUTH_PRIVATE_KEY_PATH', '/secure/path/private.key');
define('JWT_AUTH_PUBLIC_KEY_PATH', '/secure/path/public.key');
// In your code
add_filter('jwt_auth_secret_private_key', function($key) {
return file_get_contents(JWT_AUTH_PRIVATE_KEY_PATH);
});
add_filter('jwt_auth_secret_public_key', function($key) {
return file_get_contents(JWT_AUTH_PUBLIC_KEY_PATH);
});
4. Using Key Strings Directly
Alternatively, you can use the RSA key strings directly in your code:
add_filter('jwt_auth_algorithm', function($algorithm) {
return 'RS256';
});
add_filter('jwt_auth_secret_private_key', function($key) {
return <<<EOD
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuzWHNM5f+amCjQztc5QTfJfzCC5J4nuW+L/aOxZ4f8J3Frew
M2c/dufrnmedsApb0By7WhaHlcqCh/ScAPyJhzkPYLae7bTVro3hok0zDITR8F6S
JGL42JAEUk+ILkPI+DONM0+3vzk6Kvfe548tu4czCuqU8BGVOlnp6IqBHhAswNMM
78pos/2z0CjPM4tbeXqSTTbNkXRboxjU29vSopcT51koWOgiTf3C7nJUoMWZHZI5
HqnIhPAG9yv8HAgNk6CMk2CadVHDo4IxjxTzTTqo1SCSH2pooJl9O8at6kkRYsrZ
WwsKlOFE2LUce7ObnXsYihStBUDoeBQlGG/BwQIDAQABAoIBAFtGaOqNKGwggn9k
6yzr6GhZ6Wt2rh1Xpq8XUz514UBhPxD7dFRLpbzCrLVpzY80LbmVGJ9+1pJozyWc
VKeCeUdNwbqkr240Oe7GTFmGjDoxU+5/HX/SJYPpC8JZ9oqgEA87iz+WQX9hVoP2
oF6EB4ckDvXmk8FMwVZW2l2/kd5mrEVbDaXKxhvUDf52iVD+sGIlTif7mBgR99/b
c3qiCnxCMmfYUnT2eh7Vv2LhCR/G9S6C3R4lA71rEyiU3KgsGfg0d82/XWXbegJW
h3QbWNtQLxTuIvLq5aAryV3PfaHlPgdgK0ft6ocU2de2FagFka3nfVEyC7IUsNTK
bq6nhAECgYEA7d/0DPOIaItl/8BWKyCuAHMss47j0wlGbBSHdJIiS55akMvnAG0M
39y22Qqfzh1at9kBFeYeFIIU82ZLF3xOcE3z6pJZ4Dyvx4BYdXH77odo9uVK9s1l
3T3BlMcqd1hvZLMS7dviyH79jZo4CXSHiKzc7pQ2YfK5eKxKqONeXuECgYEAyXlG
vonaus/YTb1IBei9HwaccnQ/1HRn6MvfDjb7JJDIBhNClGPt6xRlzBbSZ73c2QEC
6Fu9h36K/HZ2qcLd2bXiNyhIV7b6tVKk+0Psoj0dL9EbhsD1OsmE1nTPyAc9XZbb
OPYxy+dpBCUA8/1U9+uiFoCa7mIbWcSQ+39gHuECgYAz82pQfct30aH4JiBrkNqP
nJfRq05UY70uk5k1u0ikLTRoVS/hJu/d4E1Kv4hBMqYCavFSwAwnvHUo51lVCr/y
xQOVYlsgnwBg2MX4+GjmIkqpSVCC8D7j/73MaWb746OIYZervQ8dbKahi2HbpsiG
8AHcVSA/agxZr38qvWV54QKBgCD5TlDE8x18AuTGQ9FjxAAd7uD0kbXNz2vUYg9L
hFL5tyL3aAAtUrUUw4xhd9IuysRhW/53dU+FsG2dXdJu6CxHjlyEpUJl2iZu/j15
YnMzGWHIEX8+eWRDsw/+Ujtko/B7TinGcWPz3cYl4EAOiCeDUyXnqnO1btCEUU44
DJ1BAoGBAJuPD27ErTSVtId90+M4zFPNibFP50KprVdc8CR37BE7r8vuGgNYXmnI
RLnGP9p3pVgFCktORuYS2J/6t84I3+A17nEoB4xvhTLeAinAW/uTQOUmNicOP4Ek
2MsLL2kHgL8bLTmvXV4FX+PXphrDKg1XxzOYn0otuoqdAQrkK4og
-----END RSA PRIVATE KEY-----
EOD;
});
add_filter('jwt_auth_secret_public_key', function($key) {
return <<<EOD
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzWHNM5f+amCjQztc5QT
fJfzCC5J4nuW+L/aOxZ4f8J3FrewM2c/dufrnmedsApb0By7WhaHlcqCh/ScAPyJ
hzkPYLae7bTVro3hok0zDITR8F6SJGL42JAEUk+ILkPI+DONM0+3vzk6Kvfe548t
u4czCuqU8BGVOlnp6IqBHhAswNMM78pos/2z0CjPM4tbeXqSTTbNkXRboxjU29vS
opcT51koWOgiTf3C7nJUoMWZHZI5HqnIhPAG9yv8HAgNk6CMk2CadVHDo4IxjxTz
TTqo1SCSH2pooJl9O8at6kkRYsrZWwsKlOFE2LUce7ObnXsYihStBUDoeBQlGG/B
wQIDAQAB
-----END PUBLIC KEY-----
EOD;
});
While using key strings directly in code is possible, it’s recommended to store them in secure environment variables or files for better security and key management.
Benefits of RS256
- Asymmetric Encryption: Different keys for signing and verification
- Better Security: Private key can be kept secret on the authentication server
- Scalability: Public key can be distributed to multiple verification servers
- Standard Compliance: Widely used in enterprise applications
All configuration options can be managed through the WordPress admin interface at Settings > JWT Auth Pro. The constants in wp-config.php are optional and will override the settings in the admin interface if defined.
