Instead, JWT (JSON Web Token) is a modern, stateless solution that allows:<\/p>\n
- \n
- Login-based token generation<\/li>\n
- Role\/permission control<\/li>\n
- Expiry-based sessions<\/li>\n
- Easy integration with mobile\/JavaScript apps<\/li>\n<\/ul>\n
Requirements<\/strong>
\nMake sure the following things are ready in your development setup:<\/p>\n- \n
- WooCommerce Plugin installed and active<\/li>\n
- Permalinks set to anything except “Plain”
\nGo to Settings<\/strong> > Permalinks<\/strong> [select Post name or Day and name]<\/li>\n- PHP version 7.4+<\/li>\n
- Composer installed globally (we\u2019ll use it to install the JWT library)<\/li>\n<\/ol>\n
Plugin Folder Structure Overview<\/h2>\n
We\u2019ll create a custom plugin called jwt-token-wc-api<\/strong> . Here’s what the folder layout will look like:<\/p>\n
In Project Root: wp-content\/plugin\/<\/strong>
\nCreate a Folder Named – jwt-token-wc-api\/<\/strong><\/p>\n- \n
- jwt-token-wc-api.php<\/li>\n
- \u00a0includes\/
\n– class-jwt-token-helper.php<\/li>\n - vendor\/
\n– autoload.php<\/li>\n<\/ul>\nStep 1: First, install the PHP Library for JWT using Composer<\/strong>
\nFor the Library, we just need to open our terminal, and in the plugin folder, we need to run the below command in the terminal:<\/p>\ncomposer require firebase\/php-jwt<\/pre>\n
This command will create a Firebase JWT package in the Vendor folder that we will use to generate a token later.<\/p>\n
Step 2: Now add the JWT Token Secret-Key in This File (wp-config.php)<\/strong>
\nIn the WordPress project, open the wp-config.php file and add the following code.<\/p>\ndefine('JWT_Token_AUTH_SECRET_KEY<\/strong>', 'secure-jwt-secret-key');<\/pre>\nStep 3: Create a JWT Token Helper Class
\n<\/strong>Now we will create a helper class that will handle JWT logic like generating and verifying tokens.
\nwe will create a new file inside our plugin: includes\/class-jwt-token-helper.php<\/strong><\/p>\n<?php\r\n\r\n\/\/ Block file accessed if directly trying to open it.\r\nif (!defined('ABSPATH')) {\r\n exit;\r\n}\r\n\r\n\/\/ Load the Composer autoloader class.\r\nrequire_once plugin_dir_path(__DIR__) . '..\/vendor\/autoload.php';\r\n\r\nuse Firebase\\JWT\\JWT;\r\nuse Firebase\\JWT\\Key;\r\n\r\nclass JWT_Token_Manager {\r\n\r\n\/\/ Getting jwt token secret key from wp-config\r\n const JWT_Token_Key= JWT_Token_AUTH_SECRET_KEY;\r\n\r\n\/**\r\n* Function to create token for given user-id.\r\n* 1 hour token validity\r\n*\/\r\npublic static function create_user_jwt_token($user_id) {\r\n $jwt_token_data = [\r\n 'issuer' => get_site_url(),\r\n 'issued_at' => time(),\r\n 'expires_at' => time() + 3600,\r\n 'user_id' => $user_id,\r\n ];\r\n\r\n return JWT::encode($jwt_token_data, self::JWT_Token_Key, 'HS256');\r\n}\r\n\r\n\/**\r\n* Check JWT Token from Incoming API Request.\r\n*\/\r\npublic static function validate_request_token(WP_REST_Request $request) {\r\n $auth_header = $request->get_header('authorization');\r\n\r\n\/\/ If no jwt token found then showing this error.\r\nif (!$auth_header || !preg_match('\/Bearer\\\\s(\\\\S+)\/', $auth_header, $matches)) {\r\n return new WP_Error('token_missing', 'Authorization header is missing.', ['status' => 401]);\r\n}\r\n\r\n$jwt_token = sanitize_text_field($matches[1]);\r\n\r\ntry {\r\n\/\/ Decoding and verify the jwt token.\r\n $decoded_jwt_token = JWT::decode($jwt_token, new Key(self::JWT_Token_Key, 'HS256'));\r\n return true;\r\n } catch (Exception $e) {\r\n return new WP_Error('token_invalid', 'The provided token is invalid or expired.', ['status' => 403]);\r\n }\r\n }\r\n}<\/pre>\nStep 4: Create Now Main-Plugin File.<\/strong>
\nWe will now create a new file inside our plugin folder named: jwt-token-wc-api.php<\/strong><\/p>\n<?php\r\n\/**\r\n* Plugin Name: Secure WooCommerce API with JWT Token\r\n* Description: Adds custom WooCommerce REST API with JWT login \u2013 handy if you're building mobile apps or need to connect outside system.\r\n* Version: 1.0.0\r\n* Author: TO THE NEW Private Limited\r\n*\/\r\n\r\n\/\/ Block file accessed if directly trying to open it.\r\nif (!defined('ABSPATH')) {\r\n exit;\r\n}\r\n\r\n\/\/ Load the jwt token helper class file.\r\n require_once plugin_dir_path(__FILE__) . 'includes\/class-jwt-token-helper.php';\r\n\r\n\/**\r\n* Registering the login route to issue secure JWT token.\r\n*\/\r\nadd_action('rest_api_init', function () {\r\n register_rest_route('jwt-token\/v1', '\/login', [\r\n 'methods' => 'POST',\r\n 'callback' => 'handle_jwt_user_api_login',\r\n 'permission_callback' => '__return_true',\r\n 'args' => [\r\n 'username' => ['required' => true],\r\n 'password' => ['required' => true],\r\n ],\r\n ]);\r\n});\r\n\r\n\/**\r\n* Callback funciton to authenticate username & password and return JWT token.\r\n*\/\r\nfunction handle_jwt_user_api_login(WP_REST_Request $request) {\r\n $username = sanitize_text_field($request->get_param('username'));\r\n $password = $request->get_param('password');\r\n\r\n $user = wp_authenticate($username, $password);\r\n\r\n if (is_wp_error($user)) {\r\n return new WP_Error('login_failed', 'Username or password is incorrect.', ['status' => 403]);\r\n }\r\n\r\n if (!user_can($user, 'read')) {\r\n return new WP_Error('not_allowed', 'You do not have permission to use the API.', ['status' => 403]);\r\n }\r\n\r\n $jwt_token = JWT_Token_Manager::create_user_jwt_token($user->ID);\r\n\r\n return [\r\n 'token' => $jwt_token,\r\n 'user' => [\r\n 'email' => $user->user_email,\r\n 'name' => $user->display_name,\r\n ],\r\n ];\r\n}\r\n\r\n\/**\r\n* Registering a secure API endpoint to fetch WooCommerce order details by order id.\r\n*\/\r\nadd_action('rest_api_init', function () {\r\n register_rest_route('order-jwt-api\/v1', '\/order', [\r\n 'methods' => 'GET',\r\n 'callback' => 'get_woocommerce_order_data_by_id',\r\n 'permission_callback' => ['JWT_Token_Manager', 'validate_request_token'],\r\n 'args' => [\r\n 'order_id' => ['required' => true, 'type' => 'integer'],\r\n ],\r\n ]);\r\n});\r\n\r\n\/**\r\n* Fetch WooCommerce order data by order-id (JWT protected).\r\n*\/\r\nfunction get_woocommerce_order_data_by_id(WP_REST_Request $request) {\r\n $order_id = $request->get_param('order_id');\r\n $order = wc_get_order($order_id);\r\n\r\n if (!$order) {\r\n return new WP_Error('order_not_found', 'No order found for this ID.', ['status' => 404]);\r\n }\r\n\r\n return [\r\n 'order_id' => $order->get_id(),\r\n 'status' => $order->get_status(),\r\n 'total' => $order->get_total(),\r\n 'customer' => $order->get_billing_first_name() . ' ' . $order->get_billing_last_name(),\r\n 'items' => array_map(function ($item) {\r\n return [\r\n 'product_id' => $item->get_product_id(),\r\n 'name' => $item->get_name(),\r\n 'quantity' => $item->get_quantity(),\r\n 'line_total' => $item->get_total(),\r\n ];\r\n }, $order->get_items()),\r\n ];\r\n}<\/pre>\nNow Let’s Test Our Custom API Using Postman:<\/h2>\n
Step 1: First, Get the JWT Token Using the Username & Password<\/strong>
\nJust open Postman and make a POST request to this endpoint: POST \/wp-json\/jwt-token\/v1\/login<\/strong><\/p>\n![\"Generate](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/07\/LdKIO31oVz-1024x529.png\")
Generate Token<\/p><\/div>\n
You can see in the above image that we are getting the token value on the login endpoint with the correct username\/password<\/p>\n
Step 2: Get Order Data Using the JWT Token
\n<\/strong>We now have a JWT token, let\u2019s fetch the order details using it.
\nNow we will request this endpoint: GET \/wp-json\/order-jwt-api\/v1\/order?order_id=<order-id><\/strong>
\nIn Postman, go to the Authorization tab, choose Bearer Token, and paste our JWT token there.<\/p>\n![\"Order](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/07\/hOpWGVn9Yl-1024x589.png\")
Order Data<\/p><\/div>\n
Conclusion<\/h2>\n
JWT login is just easier, honestly. You don\u2019t need to deal with WooCommerce\u2019s default API keys and all that stuff. Once it\u2019s working, you hit your custom routes with the token – no token, no data, that\u2019s it.
\nI\u2019ve used this in a few projects like pulling order data for mobile apps, syncing with other platforms, whatever. It keeps things secure, and you don\u2019t need to send your username\/password everywhere. Just works better for custom setups.<\/p>\n","protected":false},"excerpt":{"rendered":"Introduction If you are working on a mobile app, a headless site, or just want to connect WooCommerce with some external system, then you wll probably need a secure way to access data via API. WooCommerce already gives REST API by default, but it works on API keys, which is a bit old-school now. Not […]<\/p>\n","protected":false},"author":1708,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":42},"categories":[3602],"tags":[7535,5439,7534],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/72889"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1708"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=72889"}],"version-history":[{"count":23,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/72889\/revisions"}],"predecessor-version":[{"id":73222,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/72889\/revisions\/73222"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=72889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=72889"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=72889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}