Authentication WooCommerce Optional

Headless Auth

Complete authentication solution for headless WordPress stores. Supports phone-based OTP login, username/email + password login, JWT access & refresh tokens, user registration, and brute-force protection.

View Source

Features

Phone-based OTP login with configurable delivery (SMS, WhatsApp, etc.)

Username/email + password login

JWT access tokens (configurable TTL) + refresh tokens

New user registration with WooCommerce customer role

Rate limiting and brute-force protection with lockout

Test mode for development with admin-only OTP viewing

API Endpoints

Method	Path	Description
POST	/headless-auth/v1/otp/send	Request OTP
POST	/headless-auth/v1/otp/verify	Verify OTP and get tokens
POST	/headless-auth/v1/auth/login	Username/email + password login
POST	/headless-auth/v1/auth/register	Register new user
POST	/headless-auth/v1/auth/refresh	Refresh JWT token pair
GET	/headless-auth/v1/auth/me	Get current user

API Example

# Send OTP
curl -X POST https://store.example.com/wp-json/headless-auth/v1/otp/send \
  -H "Content-Type: application/json" \
  -d '{"phone": "+919876543210"}'

# Verify OTP and get tokens
curl -X POST https://store.example.com/wp-json/headless-auth/v1/otp/verify \
  -H "Content-Type: application/json" \
  -d '{"phone": "+919876543210", "otp": "482916"}'

{
  "access_token": "eyJhbGciOiJIUzI1NiJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiJ9...",
  "expires_in": 3600,
  "user": {
    "id": 42,
    "username": "customer_9876543210",
    "email": "",
    "display_name": "customer_9876543210",
    "roles": ["customer"]
  }
}

FAQ

How does the OTP delivery work?

You configure a JSON template with a webhook URL. When an OTP is requested, the plugin sends a POST request with the phone number and OTP code to your endpoint, which handles the actual SMS/WhatsApp delivery.

Does it work without WooCommerce?

Yes. Without WooCommerce, new users get the default WordPress subscriber role. With WooCommerce, they get the customer role and billing phone metadata is synced.