Skip to main content
Version: 4.x

Protect Endpoints

The Protect Endpoints feature lets you require a valid JWT for any WordPress REST API route. Use it to lock down sensitive data - such as user profiles, private posts, or custom post types - so they can only be accessed by authenticated callers, optionally restricted to specific WordPress roles.

When a protected endpoint is called without a valid JWT, the plugin returns a 401 error immediately, before WordPress processes the request:

{
"success": false,
"data": {
"message": "You are not authorized to access this endpoint.",
"error_code": 75
}
}

If a valid JWT is provided but the user doesn't have one of the roles required by a JWT + Roles rule, the plugin returns a 403 error instead:

{
"success": false,
"data": {
"message": "You do not have the required role to access this endpoint.",
"error_code": 114
}
}

Settings

Configure under Settings → Simple JWT Login → Protect Endpoints.

Protect Endpoints

Protect Endpoints settings

Enable or disable the endpoint protection feature. When disabled, no JWT check is applied to any REST route.

Endpoint Rules

Endpoint Rules

Define per-endpoint rules. Click + Add Endpoint to add a rule. Rules are evaluated top to bottom - the first matching rule wins.

Each rule has the following fields:

FieldOptionsDescription
HTTP MethodALL, GET, POST, PUT, PATCH, DELETEWhich request methods the rule applies to.
Match typeStarts with, Exact matchWhether the path must start with the value or match it exactly.
Endpointtext inputThe REST API path to match (e.g. /wp/v2/users).
TypePublic, JWT required, JWT + RolesPublic - always accessible, even with protection enabled by default. JWT required - a valid JWT is required, for any authenticated user. JWT + Roles - a valid JWT is required and the user must have at least one of the specified WordPress roles.
Rolescomma-separated listOnly shown when Type is JWT + Roles. WordPress roles allowed to access the endpoint (e.g. administrator, editor).

Default Action

Default Action

Controls what happens to any endpoint that doesn't match a rule above:

OptionBehavior
Allow access - protect only the endpoints listed aboveAll REST routes are public by default. Only endpoints matching a JWT required or JWT + Roles rule need a JWT.
Require a valid JWT - keep only the endpoints listed above publicAll REST routes require a JWT by default. Only endpoints matching a Public rule stay public.

Example Configurations

Example 1

Assume you add a rule for /wp/v2/users with ALL and Exact Match.

The rule applies to these URLs:

  • http://yoursite.com/?rest_route=/wp/v2/users
  • http://yoursite.com/wp-json/wp/v2/users

Example 2

Assume you add a rule for /wp/v2/users with GET and Starts With.

The rule applies to these URLs when called with GET only:

  • http://yoursite.com/?rest_route=/wp/v2/users
  • http://yoursite.com/?rest_route=/wp/v2/users/1
  • http://yoursite.com/wp-json/wp/v2/users
  • http://yoursite.com/wp-json/wp/v2/users/1
  • http://yoursite.com/wp-json/wp/v2/users/{any_other_path}

Example 3

Assume you add a rule for /wp/v2 with ALL, Starts With and Type JWT required, and set the Default Action to Allow access - protect only the endpoints listed above.

This way, you are making all the endpoints under /wp/v2* protected and they will be accessible only with a JWT.

For example, all these endpoints will be protected:

  • /wp/v2/users
  • /wp/v2/posts
  • /wp/v2/comments

Example 4

Assume you add a rule for /wp/v2/users with ALL, Starts With and Type JWT + Roles, with Roles set to administrator, editor.

Only users with a valid JWT and the administrator or editor role can access /wp/v2/users and its sub-paths. Any other authenticated or anonymous request receives the "You do not have the required role to access this endpoint." error.

How to Pass the JWT

The JWT token can be provided in multiple ways, depending on the options set in the plugin’s General settings:

  • Header
  • Request URI
  • Request Body
  • Session
  • Cookie

Examples

Sending JWT in header

curl -X POST "http://localhost/wp-json/wp/v2/users" \
-H "Authorization: Bearer YOUR_JWT"

Sending JWT as query parameter

curl -X POST "http://localhost/wp-json/wp/v2/users?jwt=YOUR_JWT"

Sending JWT using rest_route

curl -X POST "http://localhost/?rest_route=/wp/v2/users&jwt=YOUR_JWT"

Sending JWT in request body

curl -X POST "http://localhost/wp-json/wp/v2/users" \
-H "Content-type: application/json" \
-d '{"JWT":"YOUR_JWT"}'