Token Generation and Validation

Authentication Filters

jwt_auth_before_authenticate

Allows you to modify the user object before the authentication process begins.

add_filter('jwt_auth_before_authenticate', function($user) {
    // Perform additional user validation
    if ($user->has_cap('custom_capability')) {
        return new WP_Error('unauthorized', 'User not allowed');
    }
    return $user;
});

jwt_auth_issued_at

Allows you to change the token issuance timestamp (iat claim) for token timing synchronization.

add_filter('jwt_auth_issued_at', function($timestamp) {
    // Add a 5-minute buffer
    return $timestamp + (5 * MINUTE_IN_SECONDS);
});

jwt_auth_issuer

Allows you to change the token issuer (iss claim) for multi-site setups or custom API endpoints.

add_filter('jwt_auth_issuer', function($issuer) {
    return 'https://api.yoursite.com';
});

jwt_auth_not_before

Allows you to set when the token becomes valid (nbf claim) for token activation control.

add_filter('jwt_auth_not_before', function($time, $issued_at) {
    // Token becomes valid 5 minutes after issuance
    return $issued_at + (5 * MINUTE_IN_SECONDS);
}, 10, 2);

jwt_auth_expire

Allows you to customize when the token will expire (exp claim) based on roles or conditions.

add_filter('jwt_auth_expire', function($expiration, $issued_at) {
    // Set expiration to 14 days
    return $issued_at + (14 * DAY_IN_SECONDS);
}, 10, 2);

jwt_auth_token_user_data

Allows you to modify the user data stored in the token payload.

add_filter('jwt_auth_token_user_data', function($data, $user) {
    return array_merge($data, [
        'role' => $user->roles[0],
        'display_name' => $user->display_name,
        'email' => $user->user_email
    ]);
}, 10, 2);

jwt_auth_jwt_token_data_before_update

Allows you to modify the token data before it’s updated.

add_filter('jwt_auth_jwt_token_data_before_update', function($tokenData, $user) {
    $tokenData['custom_field'] = 'custom_value';
    return $tokenData;
}, 10, 2);

jwt_auth_token_before_sign

Allows you to modify the complete token payload before signing.

add_filter('jwt_auth_token_before_sign', function($token, $user) {
    $token['custom_claim'] = 'custom_value';
    return $token;
}, 10, 2);

jwt_auth_algorithm

Allows you to change the algorithm used for token signing.

add_filter('jwt_auth_algorithm', function($algorithm) {
    return 'RS256'; // Use RSA SHA-256 instead of default HS256
});

jwt_auth_secret_private_key

Allows you to set the private key for token signing.

add_filter('jwt_auth_secret_private_key', function($key) {
    return file_get_contents('/path/to/private.key');
});

jwt_auth_secret_public_key

Allows you to set the public key for token validation.

add_filter('jwt_auth_secret_public_key', function($key) {
    return file_get_contents('/path/to/public.key');
});

jwt_auth_token_before_dispatch

Allows you to modify the authentication response before it’s sent to the client.

add_filter('jwt_auth_token_before_dispatch', function($response, $user) {
    $response['user_email'] = $user->user_email;
    return $response;
}, 10, 2);

Refresh Token Filters

jwt_auth_refresh_token_generation

Allows you to change how refresh tokens are generated for external providers.

add_filter('jwt_auth_refresh_token_generation', function($token) {
    return md5(uniqid() . time()); // Use MD5 for token generation
});

jwt_auth_refresh_token_expiration

Allows you to customize refresh token lifetime based on roles or conditions.

add_filter('jwt_auth_refresh_token_expiration', function($expiration) {
    return 60 * DAY_IN_SECONDS; // Set to 60 days
});

jwt_auth_refresh_token_data_before_update

Allows you to modify refresh token data before storage for token rotation.

add_filter('jwt_auth_refresh_token_data_before_update', function($token_data, $user_id) {
    $token_data['custom_field'] = 'custom_value';
    return $token_data;
}, 10, 2);

Security and Settings

Security Filters

jwt_auth_security_headers

Allows you to modify security headers sent with API responses for CORS and security policies.

add_filter('jwt_auth_security_headers', function($headers) {
    $headers['X-Custom-Security'] = 'value';
    return $headers;
});

jwt_auth_error_messages

Allows you to customize authentication error messages for localization.

add_filter('jwt_auth_error_messages', function($messages) {
    $messages['jwt_auth_invalid_token'] = 'Custom invalid token message';
    return $messages;
});

jwt_auth_error_status

Allows you to modify HTTP status codes for errors and API compliance.

add_filter('jwt_auth_error_status', function($status, $code) {
    if ($code === 'jwt_auth_invalid_token') {
        return 401; // Change status to 401
    }
    return $status;
}, 10, 2);

jwt_auth_anonymize_ip

Allows you to control IP address anonymization for GDPR compliance.

add_filter('jwt_auth_anonymize_ip', function($anonymize) {
    return true; // Always anonymize IPs
});

Rate Limiting Filters

jwt_auth_rate_limit_enabled

Allows you to control if rate limiting is enabled.

add_filter('jwt_auth_rate_limit_enabled', function($enabled) {
    return true; // Always enable rate limiting
});

jwt_auth_rate_limit_headers_enabled

Allows you to control if rate limit headers are included in responses.

add_filter('jwt_auth_rate_limit_headers_enabled', function($enabled) {
    return true; // Always send rate limit headers
});

jwt_auth_rate_limit_max_requests

Allows you to customize the maximum number of requests allowed in the time window.

add_filter('jwt_auth_rate_limit_max_requests', function($maxRequests) {
    return 10; // Allow 10 requests per window
});

jwt_auth_rate_limit_window_minutes

Allows you to customize the time window for rate limiting in minutes.

add_filter('jwt_auth_rate_limit_window_minutes', function($windowMinutes) {
    return 15; // Set window to 15 minutes
});

Token Management

Token Actions

jwt_auth_revoke_tokens_on_password_change

Allows you to control token revocation on password changes for security policies.

add_filter('jwt_auth_revoke_tokens_on_password_change', function($shouldRevoke, $userId) {
    return $userId !== 1; // Don't revoke tokens for admin user
}, 10, 2);

jwt_auth_revoke_tokens_on_email_change

Allows you to control token revocation on email changes.

add_filter('jwt_auth_revoke_tokens_on_email_change', function($shouldRevoke, $userId) {
    return true; // Always revoke tokens on email change
}, 10, 2);

jwt_auth_revoke_tokens_on_role_change

Allows you to control token revocation on role changes.

add_filter('jwt_auth_revoke_tokens_on_role_change', function($shouldRevoke, $userId) {
    return true; // Always revoke tokens on role change
}, 10, 2);

jwt_auth_delete_tokens_on_user_delete

Allows you to control token deletion when a user is deleted.

add_filter('jwt_auth_delete_tokens_on_user_delete', function($shouldDelete, $userId) {
    return true; // Always delete tokens when user is deleted
}, 10, 2);

IP and Location

jwt_auth_ip_headers

Allows you to specify which headers to check for client IP addresses.

add_filter('jwt_auth_ip_headers', function($headers) {
    return array_merge($headers, [
        'X-Real-IP',
        'X-Forwarded-For'
    ]);
});

jwt_auth_default_ip

Allows you to set the fallback IP address when detection fails.

add_filter('jwt_auth_default_ip', function($ip) {
    return '0.0.0.0';
});

jwt_auth_private_ip_country_code

Allows you to customize the country code for private IP addresses.

add_filter('jwt_auth_private_ip_country_code', function($code) {
    return 'LO'; // Custom code for local IPs
});

jwt_auth_unknown_country_code

Allows you to customize the country code for unknown locations.

add_filter('jwt_auth_unknown_country_code', function($code) {
    return 'UN'; // Custom code for unknown locations
});

jwt_auth_error_country_code

Allows you to customize the country code when geolocation fails.

add_filter('jwt_auth_error_country_code', function($code) {
    return 'ER'; // Custom code for errors
});

All filters follow WordPress coding standards and can be used with the standard add_filter() function. The examples above show practical implementations for each filter.