Skip to main content

New Plugin Release 4.0.0

· 7 min read
Nicu Micle
Creator of Simple JWT Login

The version 4.0.0 has been released today on WordPress.

This is a major release packed with new features, a completely redesigned admin interface, expanded OAuth provider support, and important security and usability improvements. Please read the breaking changes section carefully before upgrading.

New Features

Completely Redesigned Admin Interface

The plugin settings interface has been completely redesigned to provide a cleaner, more modern, and intuitive user experience. Settings are now better organized, easier to discover, and simpler to configure, reducing the need to consult documentation for common setup tasks. The refreshed layout improves navigation and helps users configure JWT authentication more efficiently.

The new admin UI also includes full Light and Dark Mode support, automatically adapting to your preferred WordPress admin theme for a consistent and comfortable experience.

Behind the scenes, all frontend assets (CSS, JavaScript, and images) have been reorganized into a dedicated assets/ directory, resulting in a cleaner, more maintainable plugin structure and improved developer experience.

Audit Logs

A new Audit Logs section gives you visibility into authentication events across your WordPress site. You can now track login attempts, token refreshes, user registrations, password resets, and more - all with timestamps and relevant metadata. Audit log entries are stored in a dedicated database table and can be browsed directly from the plugin settings.

Webhooks

Outbound webhooks are now supported. You can configure HTTP callbacks that fire on key plugin events - such as user login, registration, authentication, and more. Each webhook call result is optionally logged, giving you a full audit trail of outbound notifications.

API Keys (X-API-Key)

A new API Keys management system lets you create and manage X-API-Key tokens that grant authenticated access to WordPress REST endpoints. This is useful for machine-to-machine integrations where you need stable, long-lived credentials without issuing JWTs.

Key features include:

  • Full CRUD interface for managing keys (create, update, list, delete, revoke)
  • Configurable permissions per key
  • JWT authentication is also accepted on the API Keys endpoint (in addition to cookie-based login)

Expanded OAuth Provider Support

In addition to Google, version 4.0.0 adds OAuth login support for three new providers:

  • Auth0 - enterprise-grade identity management
  • Facebook - social login via Facebook OAuth
  • GitHub - developer-friendly login via GitHub OAuth

All providers are configurable under the new Integrations section.

Two-Factor Authentication (2FA)

The plugin now integrates with WordPress 2FA plugins. When 2FA is enabled on a user account, the authentication flow enforces the second-factor check before issuing a JWT. This integration is detected automatically at runtime based on the 2FA plugin installed on your site.

JWT Custom Claims

You can now define custom JWT payload claims directly from the plugin settings. This allows you to embed additional user metadata or application-specific data into every token your site issues, without writing custom code.

Multiple JWT Decryption Keys

The plugin now supports configuring multiple JWT decryption keys with rules based on the JWT header or payload. This enables key rotation strategies and multi-tenant scenarios where different tokens are signed with different keys.

Refresh Token Handling

Authentication responses now include a refresh token alongside the access JWT. A dedicated endpoint lets clients exchange an expired access token for a new one using the refresh token, without requiring the user to re-authenticate.

Enable/Disable Revoke and Validate Token Endpoints

The token revocation and validation endpoints can now be individually toggled on or off from the plugin settings, giving you fine-grained control over which JWT operations are exposed on your site.

WordPress Default Emails on Register and Password Change

You can now opt in to sending WordPress default notification emails when a user registers via the plugin or changes their password through the reset-password endpoint. Previously this was not configurable and the default WP emails were suppressed.

Try Now Feature

A new "Try Now" button in the plugin settings lets you test your JWT configuration directly from the admin panel, without needing an external REST client.

OpenAPI Specification

The old Postman collection has been replaced with a full OpenAPI (Swagger) specification (openapi/openapi.yaml). This provides a standardized, machine-readable API contract that works with any OpenAPI-compatible tooling.

User Identification Moved to General Settings

The User Identification setting (how the plugin resolves which WordPress user a JWT refers to) has been moved from individual endpoint settings to a single place under General Settings. This eliminates duplication and ensures consistent behavior across all endpoints.

Search on Hooks View

The hooks/actions reference view now includes a search field, making it easy to find specific action hooks when building integrations.


Bug Fixes

  • Fix double encoding for Reset Password email body (#165) - the email body was being base64-encoded twice, producing garbled content in some mail clients
  • Fix passwords with special characters on register, authenticate, and reset password - special characters in passwords no longer break authentication due to incorrect wp_slash() handling
  • Replace variables in reset password email subject - template variables (e.g. {site_name}) are now correctly substituted in the email subject line, not just the body
  • Fix reset password response - the endpoint now returns a consistent and correctly structured JSON response
  • Fix OAuth + 2FA integration - OAuth login flows now correctly trigger the 2FA check when the authenticated user has 2FA enabled
  • Fix "Try Now" when permalink is disabled - the feature now works correctly on WordPress installations using plain (query string) permalinks
  • Fix WordPress data dependency issue affecting some edge cases in the authentication flow
  • Fix CSS compatibility for WordPress 7.0
  • Fix status codes - HTTP response codes are now accurate and consistent across all endpoints (e.g. 401 for unauthorized, 403 for forbidden, 422 for validation errors)
  • Fix validation error responses - invalid request payloads now return structured error messages instead of generic failures
  • Address WordPress Plugin Checker issues - the plugin now passes the official WordPress Plugin Check tool with no critical errors

Breaking Changes

Version 4.0.0 introduces several breaking changes. If you are upgrading from version 3.x, review each item below and update your client applications accordingly.

Settings Structure Reorganized in the Database

The internal format of the plugin's settings record in the WordPress options table has been restructured. A settings migration runs automatically on plugin activation, but if you have custom code that reads simple_jwt_login_settings directly from the database, it will need to be updated to match the new structure.

Register User Response Format Changed

The register endpoint response has changed:

Before (3.x):

{ "success": true, "ID": 1, "user_login": "john", ... }

After (4.0.0):

{ "success": true, "data": { "id": 1, "user_login": "john", ... } }

Update any client code that reads fields directly from the register response root.

Old /register Endpoint Removed

The legacy GET/POST /simple-jwt-login/v1/register endpoint has been removed.

All user registration must now go through the POST /simple-jwt-login/v1/users route. Update your integrations accordingly.

User Identification Removed from Delete User Settings

The "User Identification" field has been removed from the Delete User endpoint settings. The plugin now uses the single General Settings > User Identification value for all endpoints.

If you had a different identification strategy configured specifically for delete, review your General Settings to ensure the correct value is set.

Refresh Token Added to Authentication Response

The authenticate endpoint now returns a refresh_token field in addition to the JWT. While this is additive, clients that strictly validate the response shape (e.g. with JSON Schema) may need to be updated to allow the new field.

2FA Enforcement on Authentication

If your site has a 2FA plugin installed and a user has 2FA enabled, the JWT authentication flow now requires the second factor before issuing a token. Applications that bypassed 2FA by using the plugin's authentication endpoint will now be blocked until they implement the 2FA challenge/response flow.


If you encounter any issues after updating, please open an issue on GitHub.