Support » Plugin: Simple JWT Login - Login and Register to WordPress using JWT » Allowing access to APIs when authenticated only

  • Nifty



    We are using the plugin “Disable REST API” to disallow “Unauthenticated users” from accessing APIs and to protect information we will charge for, in BuddyPress, such as /buddypress/v1/members when users are not logged in.

    The above plugin is set to allow full access (access to all /simple-jwt-login/v1 points are enabled) once logged in (subscriber role). We can login using your plugin fine, but then cannot navigate to an area which should be accessible now, such as /buddypress/v1/members. It says we are not authorised.

    How can we solve this? Hope all that made sense. Any help on this would be appreciated!

    Thank you.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author nicu_m


    Hello @niftythree,

    I will investigate this and I will come back with updates.

    Best regards,

    Thread Starter Nifty


    Hi Nicu,

    Thank you. Will be keen to hear back from you.

    Hi @nicu_m

    Did you ever find anything on the question from @niftythree ?

    I’m running into the same issue but would love to use your plugin.


    Plugin Author nicu_m


    Hello @niftythree, @2f4u

    I’ve just prepared a new plugin version that allows accessing endpoints only with a JWT. The feature is called “Protect endpoints”, and you can choose either “Protect all endpoints”, or “Protect specific endpoints”.

    You can download the beta version from Github:

    Please let me know what do you think, and if you have any suggestions.

    Best regards,

    Thanks for working on this subject!
    I’ve installed the plugin v3.4 and the ‘Protect endpoints’ tab looks great!

    The issue that I’m facing now is that 403 errors are returned whenever an endpoint is called using the JWT token. I can’t seem to figure out what settings I need to use. I’m using WordPress 5.8.1 and a VueJS front-end to make requests to the WordPress REST API.

    Here’s my JS code

    var url = 'http://app.sandbox.wp/?rest_route=/simple-jwt-login/v1/auth;
    var payload = this.user;
    const request = new Request(
        url, {
        method: "POST",
        headers: {
            "Content-type": "application/json",
        body: JSON.stringify(payload)
    var response = await fetch(request);
    response = await response.json();

    This returns a JWT token which is then stored in localstorage.

    With this JWT token, subsequent requests are done to get posts. Using the Authorization header
    Authorization: Bearer + JWT token

    And with JS code like:

    let url = this.getApiUrl() + '/wp/v2/posts';
    const request = new Request(
        url, {
        method: "GET",
        headers: {
            "Authorization": "Bearer " + token,
    let response = await fetch(request);
    response = await response.json();

    All endpoints respond with the 403 (forbidden) status code.

    Am I missing something here? Is this not the correct workflow?

    Plugin Author nicu_m


    Hello @2f4u,

    What type of “Action” do you use for the protect endpoints? All endpoints or only specific endpoints?

    Have you enabled the “Get JWT token from ” -> Header -> On from the Simple-JWt-login general settings tab?

    Also, just to make sure, can you please make a request, and send the JWT in the query params?

    Got it working!

    In the protect endpoints tab, I tested both options. Both are working. Thanks for that, because that’s what I was actually looking for!

    To make it work I had to do the following. In the general settings tab both REQUEST and Header are set on, the other two are set off. And because the REQUEST option is set on, I also send the JWT token as a parameter with every request.

    Without these settings, all requests fail to authenticate. I’m not sure if this is a bug really, or if you want the REQUEST to be set on when any of the other options are set on.

    One of the things that I was worried about, is that the JWT was not set correctly. I checked that using the following endpoint

    ?rest_route=/simple-jwt-login/v1/auth/validate&JWT=YOUR JWT HERE

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Allowing access to APIs when authenticated only’ is closed to new replies.