Support » Plugin: JWT Authentication for WP REST API » Custom endpoint is unprotected

  • Resolved flotschie


    I installed the Plugin and it basically works: I make a POST request to [mypage]/wp-json/jwt-auth/v1/token and I get back the correct JSON containing the token. So the plugin seems to be installed correctly.

    Then I tried another endpoint: [mypage]/?rest_route=/wp/v2/users/register and expected the request (without authorization header) to be rejected by the JWT Plugin since the documentation mentions:

    “The wp-api-jwt-auth will intercept every call to the server and will look for the authorization header, if the authorization header is present, it will try to decode the token and will set the user according with the data stored in it.”

    But to my surprise, the request worked. This is how the endpoint is set up on the server:

      register_rest_route('wp/v2', 'users/register', array(
        'methods' => 'POST',
        'callback' => 'wc_rest_user_reg_ep_handler',

    I thought all endpoints are protected by the JWT Plugin?

    I read about the permission_callback but I think this is just a method to check user permissions. Which I thought I do not need, because my understanding is that the plugin rejects all invalid requests without token anyway. So in my endpoint I should be sure that the user has a valid token, thats enough for me.

    Where am I wrong?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Picard


    Well my custom endpoint is unprotected too… Have you solved this problem?
    I assume that the plugin protects only standard endpoint, so I started looking for a hook to add my endpoint but no luck so far.

    I have this problem too. how to add jwt to custom endpoint?



    Yes I solved it. The documentation is in my opinion misleading. Only /jwt-auth/v1 endpoints are protected and work like expected. User gets automatically logged in and can be checked via is_user_logged_in().

    But don’t worry, just create your custom endpoints in the /jwt-auth/v1 namespace, e.g.:

      register_rest_route('/jwt-auth/v1', 'profile', array(
    	'methods' => 'POST',
    	'callback' => 'wc_rest_get_profile_handler',
    	'permission_callback' => function($request){	  
    	  return is_user_logged_in();
    • This reply was modified 1 year ago by flotschie.


    Thanks @flotschie – that was it – definitely it should be in the docs.

    Dale Mugford


    Better yet, adding a filter to supply an array of custom namespaces that should be included in verification would be awesome.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Custom endpoint is unprotected’ is closed to new replies.