PHPackages wp-graphql/wp-graphql-jwt-authentication - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. wp-graphql/wp-graphql-jwt-authentication ActiveWordpress-plugin[Authentication & Authorization](/categories/authentication) wp-graphql/wp-graphql-jwt-authentication ======================================== JWT Authentication for WPGraphQL v0.7.2(2mo ago)361118.4k↑184%79[52 issues](https://github.com/wp-graphql/wp-graphql-jwt-authentication/issues)[6 PRs](https://github.com/wp-graphql/wp-graphql-jwt-authentication/pulls)1GPL-3.0+PHPCI passing Since Nov 4Pushed 2mo ago13 watchersCompare [ Source](https://github.com/wp-graphql/wp-graphql-jwt-authentication)[ Packagist](https://packagist.org/packages/wp-graphql/wp-graphql-jwt-authentication)[ RSS](/packages/wp-graphql-wp-graphql-jwt-authentication/feed)WikiDiscussions develop Synced 1mo ago READMEChangelog (10)Dependencies (24)Versions (29)Used By (1) [![Logo](https://camo.githubusercontent.com/e9b988aab2a25256ee9e385d37c0a485d4248e2c43f78ceea67d774416890362/68747470733a2f2f7777772e77706772617068716c2e636f6d2f77702d636f6e74656e742f75706c6f6164732f323031372f30362f77706772617068716c2d6c6f676f2d65313530323831393038313834392e706e67)](https://camo.githubusercontent.com/e9b988aab2a25256ee9e385d37c0a485d4248e2c43f78ceea67d774416890362/68747470733a2f2f7777772e77706772617068716c2e636f6d2f77702d636f6e74656e742f75706c6f6164732f323031372f30362f77706772617068716c2d6c6f676f2d65313530323831393038313834392e706e67) WPGraphQL JWT Authentication ============================ [](#wpgraphql-jwt-authentication) [![Build Status](https://camo.githubusercontent.com/cfdaedbecab5f798a248ad1ada925da854b3b00c4f81c492b16b75ac373bcc40/68747470733a2f2f7472617669732d63692e6f72672f77702d6772617068716c2f77702d6772617068716c2d6a77742d61757468656e7469636174696f6e2e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/wp-graphql/wp-graphql-jwt-authentication)[![Coverage Status](https://camo.githubusercontent.com/295a6cb19ec696afa600876ca0c462313540cb43935cb1cbf646be53635ad9d5/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f77702d6772617068716c2f77702d6772617068716c2d6a77742d61757468656e7469636174696f6e2f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/wp-graphql/wp-graphql-jwt-authentication?branch=master) This plugin extends the [WPGraphQL](https://github.com/wp-graphql/wp-graphql) plugin to provide authentication using JWT (JSON Web Tokens) JSON Web Tokens are an open, industry standard [RFC 7519](https://tools.ietf.org/html/rfc7519) method for representing claims securely between two parties. This plugin was initially based off the `wp-api-jwt-auth` plugin by Enrique Chavez (), but modified (almost completely) for use with the [WPGraphQL](https://github.com/wp-graphql/wp-graphql) plugin. Install, Activate & Setup ----------------------------- [](#install-activate--setup) You can install and activate the plugin like any WordPress plugin. Download the .zip from Github and add to your plugins directory, then activate. JWT uses a Secret defined on the server to validate the signing of tokens. It's recommended that you use something like the WordPress Salt generator () to generate a Secret. You can define a Secret like so: ``` define( 'GRAPHQL_JWT_AUTH_SECRET_KEY', 'your-secret-token' ); ``` Or you can use the filter `graphql_jwt_auth_secret_key` to set a Secret like so: ``` add_filter( 'graphql_jwt_auth_secret_key', function() { return 'your-secret-token'; }); ``` This secret is used in the encoding and decoding of the JWT token. If the Secret were ever changed on the server, ALL tokens that were generated with the previous Secret would become invalid. So, if you wanted to invalidate all user tokens, you can change the Secret on the server and *all* previously issued tokens would become invalid and require users to re-authenticate. - Learn more about JWT: HTTP\_AUTHORIZATION ------------------- [](#http_authorization) In order to use this plugin, your WordPress environment must support the HTTP\_AUTHORIZATION header. In some cases, this header is not passed to WordPress because of some server configurations. Depending on your particular environment, you may have to research how to enable these headers, but in Apache, you can do the following in your `.htaccess`: ``` SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 ``` For NGINX, this may work: How the plugin Works -------------------- [](#how-the-plugin-works) ### Login User [](#login-user) This plugin adds a new `login` mutation to the WPGraphQL Schema. This can be used like so: **Input-Type:** `LoginUserInput!` ``` mutation LoginUser { login( input: { clientMutationId: "uniqueId", username: "your_login", password: "your password" } ) { authToken user { id name } } } ``` The `authToken` that is received in response to the login mutation can then be stored in local storage (or similar) and used in subsequent requests as an HTTP Authorization header to Authenticate the user prior to execution of the GraphQL request. - **Set authorization header in Apollo Client**: - **Set authorization header in Relay Modern**: - **Set authorization header in Axios**: ### Register User [](#register-user) **Input-Type:** `RegisterUserInput!` ``` mutation RegisterUser { registerUser( input: { clientMutationId: "uniqueId", username: "your_username", password: "your_password", email: "your_email" }) { user { jwtAuthToken jwtRefreshToken } } } ``` ### Refresh Auth Token [](#refresh-auth-token) **Input-Type:** `RefreshJwtAuthTokenInput!` ``` mutation RefreshAuthToken { refreshJwtAuthToken( input: { clientMutationId: "uniqueId" jwtRefreshToken: "your_refresh_token", }) { authToken } } ``` Filters ------- [](#filters) The plugin offers some filters to hook into. ### Change Auth Token expiration [](#change-auth-token-expiration) **Note: For security, we highly recommend, that the Auth Token is short lived. So do not set this higher than 300 seconds unless you know what you are doing.** ``` function custom_jwt_expiration( $expiration ) { return 60; } add_filter('graphql_jwt_auth_expire', 'custom_jwt_expiration', 10); ``` - Argument: Expiration in seconds - Default: 300 Example using GraphiQL ---------------------- [](#example-using-graphiql) [![Example using GraphiQL](https://github.com/wp-graphql/wp-graphql-jwt-authentication/raw/master/img/jwt-auth-example.gif?raw=true)](https://github.com/wp-graphql/wp-graphql-jwt-authentication/blob/master/img/jwt-auth-example.gif?raw=true) ### Health Score 61 — FairBetter than 99% of packages Maintenance84 Actively maintained with recent releases Popularity53 Moderate usage in the ecosystem Community32 Small or concentrated contributor base Maturity64 Established project with proven stability Bus Factor1 Top contributor holds 70.1% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~234 days Recently: every ~349 days Total 14 Last Release 66d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/1260765?v=4)[Jason Bahl](/maintainers/jasonbahl)[@jasonbahl](https://github.com/jasonbahl) --- Top Contributors [![jasonbahl](https://avatars.githubusercontent.com/u/1260765?v=4)](https://github.com/jasonbahl "jasonbahl (148 commits)")[![kidunot89](https://avatars.githubusercontent.com/u/13604318?v=4)](https://github.com/kidunot89 "kidunot89 (29 commits)")[![henrikwirth](https://avatars.githubusercontent.com/u/10786260?v=4)](https://github.com/henrikwirth "henrikwirth (9 commits)")[![kellenmace](https://avatars.githubusercontent.com/u/5306336?v=4)](https://github.com/kellenmace "kellenmace (3 commits)")[![pcraciunoiu](https://avatars.githubusercontent.com/u/191195?v=4)](https://github.com/pcraciunoiu "pcraciunoiu (2 commits)")[![CodeProKid](https://avatars.githubusercontent.com/u/3899467?v=4)](https://github.com/CodeProKid "CodeProKid (2 commits)")[![hughdevore](https://avatars.githubusercontent.com/u/7156380?v=4)](https://github.com/hughdevore "hughdevore (2 commits)")[![paladdins](https://avatars.githubusercontent.com/u/17235495?v=4)](https://github.com/paladdins "paladdins (2 commits)")[![efoken](https://avatars.githubusercontent.com/u/522446?v=4)](https://github.com/efoken "efoken (2 commits)")[![paulgrieselhuber](https://avatars.githubusercontent.com/u/1498200?v=4)](https://github.com/paulgrieselhuber "paulgrieselhuber (1 commits)")[![tomislavp83](https://avatars.githubusercontent.com/u/13062036?v=4)](https://github.com/tomislavp83 "tomislavp83 (1 commits)")[![clopez-logica](https://avatars.githubusercontent.com/u/70495075?v=4)](https://github.com/clopez-logica "clopez-logica (1 commits)")[![tsmith-rv](https://avatars.githubusercontent.com/u/39560403?v=4)](https://github.com/tsmith-rv "tsmith-rv (1 commits)")[![davidvexel](https://avatars.githubusercontent.com/u/8060793?v=4)](https://github.com/davidvexel "davidvexel (1 commits)")[![fjobeir](https://avatars.githubusercontent.com/u/725792?v=4)](https://github.com/fjobeir "fjobeir (1 commits)")[![gregrickaby](https://avatars.githubusercontent.com/u/200280?v=4)](https://github.com/gregrickaby "gregrickaby (1 commits)")[![igoojoe](https://avatars.githubusercontent.com/u/31963626?v=4)](https://github.com/igoojoe "igoojoe (1 commits)")[![markkelnar](https://avatars.githubusercontent.com/u/749603?v=4)](https://github.com/markkelnar "markkelnar (1 commits)")[![markspolakovs](https://avatars.githubusercontent.com/u/2904440?v=4)](https://github.com/markspolakovs "markspolakovs (1 commits)")[![OnekO](https://avatars.githubusercontent.com/u/4233214?v=4)](https://github.com/OnekO "OnekO (1 commits)") --- Tags authgraphqlhacktoberfestjwtwordpress-pluginwpgraphql ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/wp-graphql-wp-graphql-jwt-authentication/health.svg) ``` [![Health](https://phpackages.com/badges/wp-graphql-wp-graphql-jwt-authentication/health.svg)](https://phpackages.com/packages/wp-graphql-wp-graphql-jwt-authentication) ``` ### Alternatives [google/auth Google Auth Library for PHP 1.4k272.7M162](/packages/google-auth)[thenetworg/oauth2-azure Azure Active Directory OAuth 2.0 Client Provider for The PHP League OAuth2-Client 2509.6M48](/packages/thenetworg-oauth2-azure)[stevenmaguire/oauth2-keycloak Keycloak OAuth 2.0 Client Provider for The PHP League OAuth2-Client 2275.9M27](/packages/stevenmaguire-oauth2-keycloak)[robsontenorio/laravel-keycloak-guard 🔑 Simple Keycloak Guard for Laravel 5161.1M3](/packages/robsontenorio-laravel-keycloak-guard)[patrickbussmann/oauth2-apple Sign in with Apple OAuth 2.0 Client Provider for The PHP League OAuth2-Client 1132.5M6](/packages/patrickbussmann-oauth2-apple)[socialiteproviders/microsoft Microsoft OAuth2 Provider for Laravel Socialite 326.1M13](/packages/socialiteproviders-microsoft) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)