Protect a WP REST API with OAuth2 using Auth0

v3.0.0 2022-11-14 22:11 UTC

This package is auto-updated.

Last update: 2023-09-15 00:02:51 UTC


Latest Stable Version License Total Downloads

This repo contains a working MU plugin that will receive and validate access tokens obtained from Auth0. For information on how this works and the values used withing please see the post here:

Protect your WordPress REST API with OAuth2 using Auth0


First, install the Login by Auth0 plugin, then add your Auth0 credentials to wp-config.php or another location that will get loaded before plugins.

// Auth0 credentials
define( 'AUTH0_DOMAIN', 'Your Auth0 domain' );
define( 'AUTH0_API_AUDIENCE', 'API identifier for the WP REST API' );
define( 'AUTH0_API_SIGNING_SECRET', 'API signing secret from Auth0' );
define( 'AUTH0_API_DEBUG', 'Set to `true` to add debugging log entries' );

Install with Composer

Install this package:

composer require joshcanhelp/wp-rest-api-auth0

Require the autoloader at some point when add_action is available, like in wp-content/mu-plugins.

Install manually

To install this manually without Composer, just download the latest release ZIP and upload through the admin interface. Please note that this plugin will not update automatically; updates will need to be made by deleting and re-adding (make sure your site is in maintenance mode) or directly via an FTP client (not recommended).

Testing with Docker

You can get this running to test using Docker using this Gist.


Try setting AUTH0_API_DEBUG to true and watching your PHP error log for information on failures.

If API requests aren't working, Apache might not be passing authorization headers to PHP. Try adding this line (or similar methods) to .htaccess:

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

Also, make sure your WP API endpoint doesn't follow this pattern, where /index.php/ is required before /wp-json/:


See this solution to help resolve this index.php issue.