Configuration
Configure JWT Authentication Pro via the settings page in WordPress
All settings can be managed through the WordPress admin interface at Settings > JWT Auth Pro. Let’s explore the available configuration options.
Token Settings
Configure how JWT tokens are generated and managed:
Available Options:
- JWT Expiration: Control how long access tokens remain valid (default: 7 days)
- Refresh Token Expiration: Set the lifespan of refresh tokens (default: 30 days)
- Signing Algorithm: Choose the algorithm for token signing (default: HS256)
- CORS Support: Enable/disable CORS for cross-origin requests
User Settings
Control token behavior based on user actions:
- Revoke on Password Change: Automatically revoke all tokens when a user changes their password (default: true)
- Revoke on Role Change: Revoke tokens when a user’s role is modified (default: true)
- Revoke on Email Change: Invalidate tokens when a user updates their email (default: true)
- Delete on User Delete: Remove all tokens when a user is deleted (default: true)
Data Management
Configure how JWT Auth Pro handles data:
- Analytics Retention: Control how long authentication analytics are stored (options: 30, 90, 180, 360 days, or Forever)
Setting Analytics Retention to “Forever” may significantly increase your database size over time, depending on your site’s traffic and authentication activity. Consider using a finite retention period for optimal performance.
- Delete on Deactivation: Choose whether to remove all plugin data upon deactivation (default: true)
When Delete on Deactivation is enabled, all plugin data will be permanently deleted upon plugin deactivation. This action cannot be undone, and data can only be recovered if you have a database backup prior to deactivation.
- Anonymize IP: Option to anonymize IP addresses in analytics data (default: false)
Rate Limiting
Configure rate limiting for API endpoints:
- Enable Rate Limiting: Turn rate limiting on/off (default: true)
- Max Requests: Maximum number of requests allowed in the time window (default: 60)
- Window Minutes: Time window for rate limiting in minutes (default: 1)
Rate limit headers included in responses, this can be diasable via Filters.
Advanced Configuration
Using RSA Keys (RS256)
By default, JWT Auth Pro uses HS256 (HMAC SHA-256) for token signing. You can switch to RS256 (RSA SHA-256) for enhanced security, especially in distributed systems.
1. Generate RSA Keys
First, generate a private/public key pair:
2. Configure Keys
Add these filters to your theme’s functions.php
or a custom plugin:
Store your keys securely and never commit them to version control. Consider using environment variables or WordPress constants in wp-config.php to store the key paths.
3. Key Storage Example
A secure way to configure keys using constants:
4. Using Key Strings Directly
Alternatively, you can use the RSA key strings directly in your code:
While using key strings directly in code is possible, it’s recommended to store them in secure environment variables or files for better security and key management.
Benefits of RS256
- Asymmetric Encryption: Different keys for signing and verification
- Better Security: Private key can be kept secret on the authentication server
- Scalability: Public key can be distributed to multiple verification servers
- Standard Compliance: Widely used in enterprise applications
All configuration options can be managed through the WordPress admin interface at Settings > JWT Auth Pro. The constants in wp-config.php
are optional and will override the settings in the admin interface if defined.