Skip to main content
Version: 4.x

Validate token

Use this endpoint to verify whether a JWT is valid. On success, the response includes the corresponding WordPress user's profile, their roles, and the decoded JWT header and payload.

This endpoint is useful for:

  • Server-side token verification before granting access to resources
  • Debugging - inspect what user and claims a token resolves to
  • Client-side session checks - confirm a stored token is still accepted before making other API calls
API Reference

Explore and test this endpoint using the interactive API reference →

Endpoint

METHOD: GET or POST

ENDPOINT: /simple-jwt-login/v1/auth/validate

URL Example: https://{{yoursite}}/?rest_route=/simple-jwt-login/v1/auth/validate&JWT={{YOUR_JWT}}

PARAMETERS:

ParameterTypeDescription
JWTrequired stringYour JWT. Can alternatively be passed as Authorization: Bearer <token>.
AUTH_KEYoptional stringAuth Code value. Required only if "Require Authentication Code" is enabled. The parameter name matches the Auth Code URL Key in Auth Codes settings (default: AUTH_KEY).

Request

{
"JWT": "YOUR_JWT_HERE"
}

With optional Auth Code:

{
"JWT": "YOUR_JWT_HERE",
"AUTH_KEY": "MySecretAuthCode"
}

Responses

200

{
"success": true,
"data": {
"user": {
"ID": "1",
"user_login": "myuser",
"user_nicename": "myuser",
"user_email": "myuser@simplejwtlogin.com",
"user_url": "https://simplejwtlogin.com/myuser",
"user_registered": "2021-01-01 23:31:50",
"user_activation_key": "",
"user_status": "0",
"display_name": "myuser"
},
"roles": [
"administrator"
],
"jwt": [
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
"header": {
"typ": "JWT",
"alg": "HS256"
},
"payload": {
"iat": 1516239022,
"email": "myuser@simplejwtlogin.com",
"id": 1,
"site": "https://simplejwtlogin.com",
"username": "myuser"
}
}
]
}
}

400

Bad request - the JWT parameter is missing.

{
"success": false,
"data": {
"message": "JWT is missing.",
"errorCode": 53
}
}

401

Unauthorized - JWT is invalid, has a bad signature, is expired, or has been revoked.

{
"success": false,
"data": {
"message": "JWT has expired.",
"errorCode": 14
}
}

403

Forbidden - token validation is disabled in plugin settings.

{
"success": false,
"data": {
"message": "Validate token is not enabled.",
"errorCode": 82
}
}

500

Internal server error.

{
"success": false,
"data": {
"message": "An unexpected error occurred.",
"errorCode": 22
}
}

Examples

SHELL

curl -X POST https://simplejwtlogin.com/?rest_route=/simple-jwt-login/v1/auth/validate \
-H "Content-type: application/json" \
-d '{"JWT":"YOUR_JWT"}'

PHP

$simpleJwtLogin = new \SimpleJwtLoginClient\SimpleJwtLoginClient(
'https://simplejwtlogin.com',
'/simple-jwt-login/v1'
);
$result = $simpleJwtLogin->validateToken('your JWT here', 'AUTH CODE');

JavaScript

fetch('https://simplejwtlogin.com/wp-json/simple-jwt-login/v1/auth/validate', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ JWT: 'YOUR_JWT_HERE' })
}).then(r => r.json()).then(console.log);

Error responses

CodeMeaning
53The JWT parameter is missing from the request.
54No WordPress user found for the claims in the JWT.
55The JWT has been revoked and can no longer be used.
82The validate-token feature is disabled in plugin settings.

JWT decoding errors (1-22) may also appear when the supplied token cannot be parsed or its signature is invalid.


Settings

Configure under Settings → Simple JWT Login → Validate Token.

Allow Validate Token Endpoint

Allow Validate Token Endpoint

Enable or disable the validate token endpoint. When disabled, all requests to /auth/validate return a 403 error. When enabled, clients can verify a JWT and retrieve the associated WordPress user details.

Require Authentication Code

Require Authentication Code

When enabled, an additional Auth Code must be provided alongside the JWT to use the validate endpoint. The parameter name is the Auth Code URL Key from Auth Codes settings (default: AUTH_KEY). Configure the codes themselves in the Auth Codes tab.