This free add-on for
CoCart allows you to authenticate the Cart API via JSON Web Tokens as an authentication method.
JSON Web Tokens are an open standard
RFC 7519 for securely transmitting information between parties.
Read the core concept for more information on what this plugin does and can do.
★★★★★
An excellent plugin, which makes building a headless WooCommerce experience a breeze. Easy to use, nearly zero setup time. Harald Schneider
Key Features
- Standard JWT Authentication: Implements the industry-standard RFC 7519 for secure claims representation.
- Simple Endpoints: Offers clear endpoints for generating and validating tokens.
- Configurable Secret Key: Define your unique secret key via
wp-config.php
for secure token signing.
- Multiple signing algorithms:
HS256
, HS384
, HS512
, RS256
, RS384
, RS512
, ES256
, ES384
, ES512
, PS256
, PS384
, PS512
- Rate Limiting: Controlled specifically for refreshing and validating tokens. Requires CoCart Plus
- Helpful Debugging: Detailed logs of authentication issues to help figure out exactly what happened and fix it faster.
- WP-CLI Commands: Useful commands to handle tokens - whether you need to check, destroy or create new ones, or clean up old ones.
- Developer Hooks: Provides filters and hooks for more configuration to your requirements.
For support, please join the
community on Discord. For priority support, consider upgrading to
CoCart Plus.
📄 Documentation
See documentation on how to
get setup,
filters and
hooks with examples to help configure JWT Authentication to your needs.
Once ready to use, see the
quick start guide. There is also an
advanced configuration for using RSA Keys.
★★★★★
Amazing Plugin. I’m using it to create a react-native app with WooCommerce as back-end. This plugin is a life-saver! Daniel Loureiro
👍 Add-ons to further enhance CoCart
We also have other add-ons that extend CoCart to enhance your headless store development.
- CoCart - CORS enables support for CORS to allow CoCart to work across multiple domains.
- CoCart - Rate Limiting enables the rate limiting feature.
- and more add-ons in development.
These add-ons of course come with support too.
For additional security, consider our
API Security plugin that provides a firewall to block unknown outsiders, rate limit requests and protect data exposure – no configuration required.
⌨️ Join our growing community
A Discord community for developers, WordPress agencies and shop owners building the fastest and best headless WooCommerce stores with CoCart.
Join our community
🐞 Bug reports
Bug reports for CoCart - JWT Authentication are welcomed in the
CoCart - JWT Authentication repository on GitHub. Please note that GitHub is not a support forum, and that issues that aren’t properly qualified as bugs will be closed.
More information
💯 Credits
This plugin is developed and maintained by
Sébastien Dumont.
Founder of
CoCart Headless, LLC.
Minimum Requirements
- WordPress v5.6
- WooCommerce v7.0
- PHP v7.4
- CoCart v4.3
Recommended Requirements
- WordPress v6.0 or higher.
- WooCommerce v9.0 or higher.
- PHP v8.0 or higher.
Automatic installation
Automatic installation is the easiest option as WordPress handles the file transfers itself and you don’t need to leave your web browser. To do an automatic install of CoCart JWT Authentication, log in to your WordPress dashboard, navigate to the Plugins menu and click Add New.
In the search field type "CoCart JWT Authentication" and click Search Plugins. Once you’ve found the plugin you can view details about it such as the point release, rating and description. Most importantly of course, you can install it by simply clicking "Install Now".
Manual installation
The manual installation method involves downloading the plugin and uploading it to your webserver via your favourite FTP application. The WordPress codex contains
instructions on how to do this here.
Upgrading
It is recommended that anytime you want to update "CoCart JWT Authentication" that you get familiar with what's changed in the release.
CoCart JWT Authentication uses Semver practices. The summary of Semver versioning is as follows:
- MAJOR version when you make incompatible API changes.
- MINOR version when you add functionality in a backwards compatible manner.
- PATCH version when you make backwards compatible bug fixes.
You can read more about the details of Semver at
semver.org
v3.0.0 - 20th September, 2025
📢 This update will invalidate previous tokens as they will no longer be valid.
With this update we have improved tracking of tokens to be dual-secured with a PAT (Personal Access Token) ID. This also makes sure users don't get unnecessary new tokens when already authenticated for proper token life cycle management and prevent token proliferation when users are already authenticated.
What's New?
- Plugin: Refactored the plugin for better management and performance.
- Plugin: Added background database cleanup for legacy user meta data on plugin activation.
- REST-API: Users can now have multiple active token sessions, each tracked separately for different devices/browsers.
- REST-API: Refresh tokens are now properly linked to their corresponding JWT tokens.
- REST-API: Existing tokens are returned when authenticating with Bearer tokens (prevents token proliferation).
- WP-CLI: Creating a token now accepts the user ID, email or login. See documentation for updated command.
- WP-CLI: Added new
destroy
command to remove tokens for specific users with confirmation prompts.
- Dashboard: Added setup guide with secret key generator.
Bug Fix
- WP-CLI: Fixed loading of localization too early.
Improvements
- Plugin: Tokens will now log the last login timestamp. This is also part of the PAT (Personal Access Token).
- Plugin: Meta data is hidden from custom fields.
- REST-API: Authorization will fail if the user has no tokens in session.
- REST-API: Authorization will fail if the token is not found in session.
- REST-API: Token refresh now uses proper session rotation for enhanced security.
- WP-CLI: Listing user tokens will now list each token a user has. See documentation for updated command.
- WP-CLI: Now localized.
Developers
- Introduced new filter
cocart_jwt_auth_max_user_tokens
that sets the maximum number of tokens stored for a user.
- Introduced new action hook
cocart_jwt_auth_authenticated
that fires when a user is authenticated.
Compatibility
View the full changelog here.