CoCart JWT Authentication

This free add-on for CoCart allows you to authenticate the Cart API via JSON Web Tokens as an authentication method. JSON Web Tokens are an open standard RFC 7519 for securely transmitting information between parties. Read the core concept for more information on what this plugin does and can do. ★★★★★

An excellent plugin, which makes building a headless WooCommerce experience a breeze. Easy to use, nearly zero setup time. Harald Schneider

Key Features

• Standard JWT Authentication: Implements the industry-standard RFC 7519 for secure claims representation.
• Simple Endpoints: Offers clear endpoints for generating and validating tokens.
• Configurable Secret Key: Define your unique secret key via wp-config.php for secure token signing.
• Multiple signing algorithms: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512
• Rate Limiting: Controlled specifically for refreshing and validating tokens. Requires CoCart Plus
• Helpful Debugging: Detailed logs of authentication issues to help figure out exactly what happened and fix it faster.
• WP-CLI Commands: Useful commands to handle tokens - whether you need to check, destroy or create new ones, or clean up old ones.
• Developer Hooks: Provides filters and hooks for more configuration to your requirements.

For support, please join the community on Discord. For priority support, consider upgrading to CoCart Plus. 📄 Documentation See documentation on how to get setup, filters and hooks with examples to help configure JWT Authentication to your needs. Once ready to use, see the quick start guide. There is also an advanced configuration for using RSA Keys. ★★★★★

Amazing Plugin. I’m using it to create a react-native app with WooCommerce as back-end. This plugin is a life-saver! Daniel Loureiro

👍 Add-ons to further enhance CoCart We also have other add-ons that extend CoCart to enhance your headless store development.

• CoCart - CORS enables support for CORS to allow CoCart to work across multiple domains.
• CoCart - Rate Limiting enables the rate limiting feature.
• and more add-ons in development.

These add-ons of course come with support too. For additional security, consider our API Security plugin that provides a firewall to block unknown outsiders, rate limit requests and protect data exposure – no configuration required. ⌨️ Join our growing community A Discord community for developers, WordPress agencies and shop owners building the fastest and best headless WooCommerce stores with CoCart. Join our community 🐞 Bug reports Bug reports for CoCart - JWT Authentication are welcomed in the CoCart - JWT Authentication repository on GitHub. Please note that GitHub is not a support forum, and that issues that aren’t properly qualified as bugs will be closed. More information

• The official CoCart API plugin website.
• CoCart for Developers, an official hub for resources you need to be productive with CoCart and keep track of everything that is happening with the API.
• The CoCart Documentation
• Subscribe to updates
• Like, Follow and Star on Facebook, Twitter, Instagram and GitHub

💯 Credits This plugin is developed and maintained by Sébastien Dumont. Founder of CoCart Headless, LLC.

Minimum Requirements

• WordPress v5.6
• WooCommerce v7.0
• PHP v7.4
• CoCart v4.3

Recommended Requirements

• WordPress v6.0 or higher.
• WooCommerce v9.0 or higher.
• PHP v8.0 or higher.

Automatic installation Automatic installation is the easiest option as WordPress handles the file transfers itself and you don’t need to leave your web browser. To do an automatic install of CoCart JWT Authentication, log in to your WordPress dashboard, navigate to the Plugins menu and click Add New. In the search field type "CoCart JWT Authentication" and click Search Plugins. Once you’ve found the plugin you can view details about it such as the point release, rating and description. Most importantly of course, you can install it by simply clicking "Install Now". Manual installation The manual installation method involves downloading the plugin and uploading it to your webserver via your favourite FTP application. The WordPress codex contains instructions on how to do this here. Upgrading It is recommended that anytime you want to update "CoCart JWT Authentication" that you get familiar with what's changed in the release. CoCart JWT Authentication uses Semver practices. The summary of Semver versioning is as follows:

• MAJOR version when you make incompatible API changes.
• MINOR version when you add functionality in a backwards compatible manner.
• PATCH version when you make backwards compatible bug fixes.

You can read more about the details of Semver at semver.org

v3.0.0 - 20th September, 2025 📢 This update will invalidate previous tokens as they will no longer be valid. With this update we have improved tracking of tokens to be dual-secured with a PAT (Personal Access Token) ID. This also makes sure users don't get unnecessary new tokens when already authenticated for proper token life cycle management and prevent token proliferation when users are already authenticated. What's New?

• Plugin: Refactored the plugin for better management and performance.
• Plugin: Added background database cleanup for legacy user meta data on plugin activation.
• REST-API: Users can now have multiple active token sessions, each tracked separately for different devices/browsers.
• REST-API: Refresh tokens are now properly linked to their corresponding JWT tokens.
• REST-API: Existing tokens are returned when authenticating with Bearer tokens (prevents token proliferation).
• WP-CLI: Creating a token now accepts the user ID, email or login. See documentation for updated command.
• WP-CLI: Added new destroy command to remove tokens for specific users with confirmation prompts.
• Dashboard: Added setup guide with secret key generator.

Bug Fix

• WP-CLI: Fixed loading of localization too early.

Improvements

• Plugin: Tokens will now log the last login timestamp. This is also part of the PAT (Personal Access Token).
• Plugin: Meta data is hidden from custom fields.
• REST-API: Authorization will fail if the user has no tokens in session.
• REST-API: Authorization will fail if the token is not found in session.
• REST-API: Token refresh now uses proper session rotation for enhanced security.
• WP-CLI: Listing user tokens will now list each token a user has. See documentation for updated command.
• WP-CLI: Now localized.

Developers

• Introduced new filter cocart_jwt_auth_max_user_tokens that sets the maximum number of tokens stored for a user.
• Introduced new action hook cocart_jwt_auth_authenticated that fires when a user is authenticated.

Compatibility

• Tested with CoCart v4.8

View the full changelog here.