Skip to main content

Authenticate and obtain a JWT

POST 

/auth

Validates the user's WordPress credentials and returns a signed JWT. An optional refresh token is also returned when the refresh-token feature is enabled in the plugin settings.

Credentials Supply either email or username (not both), plus one of:

  • password — plaintext password (verified with wp_check_password)
  • password_hash — the hashed password as stored in the WordPress database (must be enabled in the plugin settings)

Requirements

  • Authentication must be enabled in the plugin settings.
  • If "Authentication Requires Auth Code" is enabled, AUTH_KEY must be provided.

Two-Factor Authentication When the authenticated user has Two-Factor Authentication enabled and the 2FA integration is active, the endpoint returns HTTP 200 with a challenge response instead of a regular JWT. The two_factor_required field is true and jwt contains a short-lived interim token. Submit that interim token together with the 2FA code to POST /auth/2fa to obtain the final JWT.

Request

Responses

Authentication successful. Returns a signed JWT and an optional refresh token.

Two-Factor challenge: when the user has 2FA enabled, this response is returned instead of a regular JWT. two_factor_required will be true and jwt will contain a short-lived interim token. Submit it with the 2FA code to POST /auth/2fa to obtain the final JWT.