CoCart JWT Authentication v1.0.0 Release Notes

Excited to share a new feature plugin to provide support for our own JWT Authentication with CoCart.

It’s free to download and is available via the WordPress plugin directory.

Minimum Requirements

You will need to have CoCart v3.8.1 or above installed to use this plugin.

Enable PHP HTTP Authorization Header

Shared Hosts

Most shared hosts have disabled the HTTP Authorization Header by default. To enable this option you’ll need to edit your .htaccess file by adding the following:

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]


RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]


To enable this option you’ll need to edit your .htaccess file by adding the following (see [this issue]):

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1


  1. Set a unique secret key in your wp-config.php file defined to COCART_JWT_AUTH_SECRET_KEY.
  2. Install and activate plugin.

Token Expiration

By default, the token expires after two full days but can be filtered to change to your preference using this hook cocart_jwt_auth_expire.

Here is an example changing it to expire after just 2 hours.

add_filter( 'cocart_jwt_auth_expire', function() {
  return MINUTE_IN_SECONDS * 120


  1. Authenticate via basic method with the login endpoint to get your token.
  2. Store the given token under jwt_token in your application.
  3. Now authenticate any cart route with Bearer authentication with the token given.