Skip to main content
Version: 4.x

Autologin

The Autologin endpoint lets you log a user into WordPress by passing a valid JWT - no username or password form needed. This is ideal for:

  • Magic-link emails - generate a signed link and email it to the user
  • SSO flows - redirect users from an external system directly into WordPress
  • Mobile apps - open a webview session without re-prompting for credentials
  • Cross-domain redirects - seamlessly land users on a specific page after authentication

The plugin validates the JWT, identifies the WordPress user from the token payload, creates the authenticated session, and redirects the user to the configured destination.

API Reference

Explore and test this endpoint using the interactive API reference →

Endpoint

METHOD: GET

ENDPOINT: /simple-jwt-login/v1/autologin

URL Example: https://{{yoursite}}/?rest_route=/simple-jwt-login/v1/autologin&JWT={{JWT}}&AUTH_KEY={{AUTH_KEY_VALUE}}

ParameterTypeDescription
JWTrequired stringYour JWT. Can alternatively be passed as Authorization: Bearer <token>.
AUTH_KEYoptional stringAuth Code value. Required only if "Require Authentication Code" is enabled. The parameter name matches the Auth Code URL Key in Auth Codes settings (default: AUTH_KEY).
redirectUrloptional stringIf provided and "Honor the redirectUrl parameter" is enabled in settings, the user is redirected here after a successful login instead of the configured destination.

Parameters can be sent as query params.

Request

https://{{yoursite}}/?rest_route=/simple-jwt-login/v1/autologin&JWT={{JWT}}&AUTH_KEY={{AUTH_KEY_VALUE}}

Or via Authorization header:

GET /wp-json/simple-jwt-login/v1/autologin
Authorization: Bearer YOUR_JWT_HERE

Responses

200

The browser is redirected (HTTP 302) to the WordPress site or the custom redirectUrl. The response body is empty HTML; the redirect is handled via HTTP headers.

400

Bad request - unclassified error (e.g. malformed JWT encoding).

{
"success": false,
"data": {
"message": "Invalid JWT.",
"errorCode": 25
}
}

401

Unauthorized - JWT is invalid, has a bad signature, is expired, is revoked, or the auth code is wrong.

{
"success": false,
"data": {
"message": "JWT has expired.",
"errorCode": 14
}
}

403

Forbidden - auto-login is disabled in plugin settings, or the client IP is not on the allow-list.

{
"success": false,
"data": {
"message": "Auto-login is not enabled.",
"errorCode": 26
}
}

404

The WordPress user identified by the JWT payload could not be found.

{
"success": false,
"data": {
"message": "User not found.",
"errorCode": 24
}
}

500

Internal server error.

{
"success": false,
"data": {
"message": "An unexpected error occurred.",
"errorCode": 22
}
}

Examples

SHELL

curl 'https://simplejwtlogin.com/?rest_route=/simple-jwt-login/v1/autologin&JWT=mysecretjwt&AUTH_KEY=mysecretauthcode'

PHP

Using the simple-jwt-login PHP Client:

$simpleJWT = new \SimpleJwtLoginClient\SimpleJwtLoginClient(
'https://simplejwtlogin.com',
'/simple-jwt-login/v1'
);
$url = $simpleJWT->login('Your JWT');
header('Location: ' . $url);

JavaScript

var JWT = 'myJWT';
var AUTH_KEY = 'MY_SECRET_AUTH_CODE';

window.location.href =
'https://simplejwtlogin.com/?rest_route=/simple-jwt-login/v1/autologin&JWT=' + JWT + '&AUTH_KEY=' + AUTH_KEY;

Error responses

All error responses follow the standard envelope:

{
"success": false,
"data": {
"message": "Human-readable error description",
"errorCode": 26
}
}

Common error codes:

CodeMeaning
23JWT is missing from the auto-login request.
24User not found - no WordPress user matches the JWT claims.
26Auto-login is not enabled in plugin settings.
27Invalid Auth Code provided.
28Client IP is not on the allowed IP list.
29The configured JWT payload property (sub-key) could not be found in the token.
30The configured JWT payload property (user key) could not be found in the token.
68The JWT issuer (iss) is not on the allowed list.

JWT decoding errors (1-22) may also appear when the supplied token cannot be parsed or its signature is invalid.


Settings

Configure under Settings → Simple JWT Login → Autologin.

Auto-Login

Auto-Login settings

Enable or disable the autologin endpoint. When disabled, all GET requests to /autologin return a 403 error. When enabled, users can log in by passing a valid JWT via URL parameter or Authorization: Bearer header.

Require Authentication Code

Require Authentication Code

When enabled, an additional Auth Code must be provided alongside the JWT to allow login. The parameter name is the Auth Code URL Key from Auth Codes settings (default: AUTH_KEY). Configure the codes themselves in the Auth Codes tab.

Redirect Behavior

Redirect Behavior settings

Controls where users are sent after login succeeds or fails.

After successful login, redirect to:

OptionDescription
DashboardRedirects to the WordPress admin panel (/wp-admin/).
HomepageRedirects to the site's front page.
No redirectNo HTTP redirect is performed; the response is returned directly.
Custom URLRedirects to the URL you specify in the text field below the options.

On login failure, redirect to:

Enter a URL to redirect the user when login fails (e.g. expired token, invalid auth code). Leave blank to return an error JSON response without redirecting.

On the failure redirect page you can display the error message returned by the plugin using the simple-jwt-login:request shortcode:

[simple-jwt-login:request key="error_message"]

Advanced Options

Advanced Options

Pass login request parameters to the redirect URL

When enabled, the original JWT and any other login request parameters are appended to the redirect URL as query string arguments.

Strip these parameters from the redirect URL

Comma-separated list of query parameters to remove after redirect (e.g. jwt, auth_code). Useful for cleaning sensitive values out of the browser address bar. Leave blank to keep all parameters.

Honor the redirectUrl query parameter as a redirect override

When enabled, including redirectUrl in the autologin request overrides the configured redirect destination. This allows per-request redirect targets, useful for magic-link emails that need to land users on a specific page.

Available URL template variables:

Use these placeholders in your custom redirect URL or in the redirectUrl parameter. They are replaced with actual values at redirect time.

VariableDescription
{{site_url}}The site URL
{{user_id}}The logged-in user's ID
{{user_email}}The logged-in user's email address
{{user_login}}The logged-in user's username
{{user_first_name}}The user's first name
{{user_last_name}}The user's last name
{{user_nicename}}The user's URL-friendly name

Example:

https://yourdomain.com/profile?uid={{user_id}}&site={{site_url}}

Access Control

Access Control settings

Restrict autologin to requests from specific sources. Leave fields blank to allow all.

Allowed IP Addresses

Comma-separated list of IP addresses allowed to use the autologin endpoint. Leave blank to allow all IPs.

Allowed JWT Issuers (iss)

Comma-separated list of accepted iss (issuer) claim values. When set, a JWT whose iss does not match any value in this list is rejected with error code 68. Leave blank to accept any issuer.


FAQ

How do I tell the plugin which field in the JWT contains the WordPress user ID or email?

In the plugin settings, set the "JWT Parameter Key" field to the name of the JWT payload property that holds the user identifier.

For example, if your JWT payload looks like this:

{
"sub": "1234567890",
"name": "John Doe",
"UserID": 123456
}

Set JWT Parameter Key to UserID. The plugin will use that value to look up the WordPress user.