Skip to content
Authentication for WPGraphQL using JWT (JSON Web Tokens)
Branch: master
Clone or download
jasonbahl Merge pull request #40 from wp-graphql/bug/#39-conflict-with-the-even…

Conflicts with "The Events Calendar" also active
Latest commit 522cb24 Jul 19, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin no message Mar 30, 2018
docs - Adding refresh token stuff and initial Codeception setup. Jan 12, 2018
img no message Nov 9, 2017
src #41 - JWT fields cannot be retrieved via viewer query Jul 18, 2019
tests no message Mar 30, 2018
vendor #41 - JWT fields cannot be retrieved via viewer query Jul 18, 2019
.distignore - Initial commit Apr 11, 2017
.editorconfig - Initial commit Apr 11, 2017
.gitignore no message Jan 19, 2018
LICENSE - Add license info Nov 9, 2017 Fix usage code Feb 18, 2019
codeception.yml no message Jan 19, 2018
composer.json no message Mar 30, 2018
composer.lock no message Mar 30, 2018
phpcs.ruleset.xml - Initial commit Apr 11, 2017
phpunit.xml.dist no message Nov 9, 2017
wp-graphql-jwt-authentication.php #41 - JWT fields cannot be retrieved via viewer query Jul 18, 2019


WPGraphQL JWT Authentication

Build Status Coverage Status

This plugin extends the WPGraphQL plugin to provide authentication using JWT (JSON Web Tokens)

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

This plugin was initially based off the wp-api-jwt-auth plugin by Enrique Chavez (, but modified (almost completely) for use with the WPGraphQL plugin.

Install, Activate & Setup

You can install and activate the plugin like any WordPress plugin. Download the .zip from Github and add to your plugins directory, then activate.

JWT uses a Secret defined on the server to validate the signing of tokens.

It's recommended that you use something like the WordPress Salt generator ( to generate a Secret.

You can define a Secret like so:

define( 'GRAPHQL_JWT_AUTH_SECRET_KEY', 'your-secret-token' );

Or you can use the filter graphql_jwt_auth_secret_key to set a Secret like so:

add_filter( 'graphql_jwt_auth_secret_key', function() {
  return 'your-secret-token';

This secret is used in the encoding and decoding of the JWT token. If the Secret were ever changed on the server, ALL tokens that were generated with the previous Secret would become invalid. So, if you wanted to invalidate all user tokens, you can change the Secret on the server and all previously issued tokens would become invalid and require users to re-authenticate.


In order to use this plugin, your WordPress environment must support the HTTP_AUTHORIZATION header. In some cases, this header is not passed to WordPress because of some server configurations.

Depending on your particular environment, you may have to research how to enable these headers, but in Apache, you can do the following in your .htaccess:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

For NGINX, this may work:

How the plugin Works

This plugin adds a new login mutation to the WPGraphQL Schema.

This can be used like so:

mutation LoginUser {
  login( input: {
    username: "your_login"
    password: "your password"
  } ) {
    user {

The authToken that is received in response to the login mutation can then be stored in local storage (or similar) and used in subsequent requests as an HTTP Authorization header to Authenticate the user prior to execution of the GraphQL request.

Example using GraphiQL

Example using GraphiQL

You can’t perform that action at this time.