Filters
JWT Auth Pro provides a comprehensive set of filters that allow you to customize its behavior. Each filter is documented below with its description and usage example.
Token Generation and Validation
Authentication Filters
jwt_auth_before_authenticate
Allows you to modify the user object before the authentication process begins.
jwt_auth_issued_at
Allows you to change the token issuance timestamp (iat claim) for token timing synchronization.
jwt_auth_issuer
Allows you to change the token issuer (iss claim) for multi-site setups or custom API endpoints.
jwt_auth_not_before
Allows you to set when the token becomes valid (nbf claim) for token activation control.
jwt_auth_expire
Allows you to customize when the token will expire (exp claim) based on roles or conditions.
jwt_auth_token_user_data
Allows you to modify the user data stored in the token payload.
jwt_auth_jwt_token_data_before_update
Allows you to modify the token data before it’s updated.
jwt_auth_token_before_sign
Allows you to modify the complete token payload before signing.
jwt_auth_algorithm
Allows you to change the algorithm used for token signing.
jwt_auth_secret_private_key
Allows you to set the private key for token signing.
jwt_auth_secret_public_key
Allows you to set the public key for token validation.
jwt_auth_token_before_dispatch
Allows you to modify the authentication response before it’s sent to the client.
Refresh Token Filters
jwt_auth_refresh_token_generation
Allows you to change how refresh tokens are generated for external providers.
jwt_auth_refresh_token_expiration
Allows you to customize refresh token lifetime based on roles or conditions.
jwt_auth_refresh_token_data_before_update
Allows you to modify refresh token data before storage for token rotation.
Security and Settings
Security Filters
jwt_auth_security_headers
Allows you to modify security headers sent with API responses for CORS and security policies.
jwt_auth_error_messages
Allows you to customize authentication error messages for localization.
jwt_auth_error_status
Allows you to modify HTTP status codes for errors and API compliance.
jwt_auth_anonymize_ip
Allows you to control IP address anonymization for GDPR compliance.
Rate Limiting Filters
jwt_auth_rate_limit_enabled
Allows you to control if rate limiting is enabled.
jwt_auth_rate_limit_headers_enabled
Allows you to control if rate limit headers are included in responses.
jwt_auth_rate_limit_max_requests
Allows you to customize the maximum number of requests allowed in the time window.
jwt_auth_rate_limit_window_minutes
Allows you to customize the time window for rate limiting in minutes.
Token Management
Token Actions
jwt_auth_revoke_tokens_on_password_change
Allows you to control token revocation on password changes for security policies.
jwt_auth_revoke_tokens_on_email_change
Allows you to control token revocation on email changes.
jwt_auth_revoke_tokens_on_role_change
Allows you to control token revocation on role changes.
jwt_auth_delete_tokens_on_user_delete
Allows you to control token deletion when a user is deleted.
IP and Location
jwt_auth_ip_headers
Allows you to specify which headers to check for client IP addresses.
jwt_auth_default_ip
Allows you to set the fallback IP address when detection fails.
jwt_auth_private_ip_country_code
Allows you to customize the country code for private IP addresses.
jwt_auth_unknown_country_code
Allows you to customize the country code for unknown locations.
jwt_auth_error_country_code
Allows you to customize the country code when geolocation fails.
All filters follow WordPress coding standards and can be used with the standard add_filter()
function. The examples above show practical implementations for each filter.