JSON API Auth extends the JSON API Plugin to allow RESTful user authentication.

Features include:

  • Generate Auth Cookie for user authentication

  • Validate Auth Cookie

  • Get Current User Info

For documentation: See ‘Other Notes’ tab above for usage examples.

Credits: http://www.parorrey.com/solutions/json-api-auth/


  • Call to generate_auth_cookie endpoint using Postman
  • Call to get_currentuserinfo endpoint using Postman
  • Call to validate_auth_cookie endpoint using Postman


First you have to install the JSON API for WordPress Plugin (https://wordpress.org/extend/plugins/json-api/installation/).

To install JSON API Auth just follow these steps:

  • upload the folder “json-api-auth” to your WordPress plugin folder (/wp-content/plugins)

  • activate the plugin through the ‘Plugins’ menu in WordPress or by using the link provided by the plugin installer

  • activate the controller through the JSON API menu found in the WordPress admin center (Settings -> JSON API)


Thanks to ‘mattberg’ who wrote the auth controller (https://github.com/mattberg/wp-json-api-auth) initially. I have added few methods and authored it as a WordPress plugin so that it could easily be searched and installed vis WordPress.

  • There are following methods available: validate_auth_cookie, generate_auth_cookie, clear_auth_cookie, get_currentuserinfo

  • nonce can be created by calling http://localhost/api/get_nonce/?controller=auth&method=generate_auth_cookie

  • You can then use ‘nonce’ value to generate cookie. http://localhost/api/auth/generate_auth_cookie/?nonce=f4320f4a67&username=Catherine&password=password-here

  • Use cookie like this with your other controller calls: http://localhost/api/contoller-name/method-name/?cookie=Catherine|1392018917|3ad7b9f1c5c2cccb569c8a82119ca4fd

For instance, you have a new controller ‘events’ and want to allow users to post new ‘event’ using ‘add_event’ method.
This is how you will call the end point with cookie and post the event with user info:


If you want sample code how it can be done, check ‘JSON API User’ plugin https://wordpress.org/plugins/json-api-user/. This Auth plugin is part of JSON API User plugin.

Method: validate_auth_cookie

It needs ‘cookie’ var.


Method: generate_auth_cookie

It needs username, password vars. seconds is optional.

Then generate cookie: http://localhost/api/auth/generate_auth_cookie/?username=john&password=PASSWORD-HERE

Optional ‘seconds’ var. It provided, generated cookie will be valid for that many seconds, otherwise default is for 14 days.

generate cookie for 1 minute: http://localhost/api/auth/generate_auth_cookie/?username=john&password=PASSWORD-HERE&seconds=60

60 means 1 minute.

Method: get_currentuserinfo

It needs ‘cookie’ var.



Access to CPT post data

Hi, I am using the awesome JSON API plugin. I read I can’t have access to the posts postmeta unless I’m authenticated and I thought maybe your plugin is the solution to that.

I have installed your plugin but not entirely sure how to use it in my application.

Read all 11 reviews

Contributors & Developers

“JSON API Auth” is open source software. The following people have contributed to this plugin.


Translate “JSON API Auth” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • Updated for wordpress version


  • Updated logo and header.


  • Added minimum php version requirement.


  • Added icons, screenshots, & fixed plugin header.


  • Updated for WordPress 4.9.8 version.


  • Updated for WordPress 4.9 version.


  • Updated for WordPress 4.4 version. Made it secure by adding SSL check and adding POST method support, thanks to ‘xiffy’ for sharing code.


  • updated for wordpress 4.1.2 version


  • generate_auth_cookie does not require nonce any more to generate cookie.
  • generate_auth_cookie now also returns ‘cookie_name’.


  • Fixed the JSON API Plugin link with protocol
  • Updated notes for documentation.


  • Added the function to authenticate, allow the user (with edit rights) to use JSON API core controllers as well. Thanks necro_txilok for the suggestion.
  • Removed clear_auth_cookie for not doing what it intends to do, instead generate_auth_cookie has been modified to allow setting up auth cookie for any required duration. Just provide the seconds var with nonce, username and password to get required cookie. Default time is 14 days.
  • Fixed typos in documentation.


  • update for WordPress 4.1


  • Removed bug for generating cookie


  • Updated plugin description, documentation and few urls


  • Added clear_auth_cookie() for removing auth cookie.

  • Added documentation for the available end points


  • Added the user avatar info for generate_auth_cookie() and get_currentuserinfo()

  • Updated the FAQs


  • Initial release.