To interact with the Luvre API, all requests must include a JWT access token for authentication and authorization. This ensures secure access control, allowing the system to verify user identity, roles, domain and permissions.
How the Token Works
The access token is generated using JSON Web Token (JWT) and includes the following payload:
$payload = [
'uid' => $uid, // User ID
'uname' => $uname, // Username
'uroles' => $uroles, // User roles (e.g., admin, editor)
'dom' => $dom, // Token domain (must match site domain)
'iat' => $iat, // Issued at timestamp
'exp' => $exp, // Expiration timestamp
];
Key Features of the Token
✅ User Identification – The token contains the user ID and username to authenticate the requester.
✅ Role-Based Access – The uroles field defines user permissions, ensuring API access is restricted based on roles.
✅ Domain Validation – The dom field ensures the token is only valid on the intended domain, preventing misuse.
✅ Expiration Control – The exp field sets a time limit for token validity, improving security.
Managing Access Tokens
Tokens must be sent in the Authorization header as a Bearer token in API requests:
Authorization: Bearer YOUR_ACCESS_TOKEN
If the token is missing, expired, or invalid, the API will reject the request with an appropriate error response.
Administrators can manage token expiration, role-based access, and domain restrictions easily.
This approach ensures a secure and flexible authentication system, making it easier to manage user access, roles, and permissions across the API. 🚀
{
"errors": [
{
"code": "invalid_domain",
"message": "The token domain does not match the site domain",
"status": 403
},
{
"code": "invalid_role",
"message": "User does not have the required role(s)",
"status": 403
}
]
}
{
"errors": [
{
"code": "invalid_domain",
"message": "The token domain does not match the site domain",
"status": 403
},
{
"code": "invalid_role",
"message": "User does not have the required role(s)",
"status": 403
}
]
}
{
"errors": [
{
"code": "invalid_domain",
"message": "The token domain does not match the site domain",
"status": 403
},
{
"code": "invalid_role",
"message": "User does not have the required role(s)",
"status": 403
}
]
}
{
"errors": [
{
"code": "invalid_domain",
"message": "The token domain does not match the site domain",
"status": 403
},
{
"code": "invalid_role",
"message": "User does not have the required role(s)",
"status": 403
}
]
}
🚫 Authentication Failed (403 Error) Even with Correct Token
If you're seeing an error like this when making a request to the REST API:
Even though your Bearer Token is correctly set in Postman (or any API client), this typically means that the token is not reaching WordPress due to how your server handles HTTP headers—especially the Authorization header.
🛠️ Fix for Apache Servers
If you're using Apache, it's likely that the Authorization header is being stripped or not passed correctly to WordPress.
To fix this, you need to add the following line to your site’s .htaccess file:
