In order to get token i post following request:
http://example.com/wordpress/wp-json/jwt-auth/v1/token?username=MYLOGIN&password=MYPASSWORD and in response i get token - that's nice, but... what if i don't want to show username and login in requested URL, even a single time.
Everyone who can see my computer requests can catch my login and password easily. Can I somehow hide this sensitive data in request headers instead of url parameters? I'm using "Chrome Insomnia" App to test REST api and next to PARAMS and HEADERS there is an AUTH tab where i can type username and password - maybe that is the place i could use to send user data to get access token without beeing seen easily?
I tried to login using AUTH tab, but in response:
{
"code": "jwt_auth_bad_auth_header",
"message": "Authorization header malformed.",
"data": {
"status": 403
}
}
Please don't send me back to wp-api documentaion because i couldn't find a clear answer by reading the docs there.
Although I agree OAuth (Really OpenID Connect) is a better solution, USE HTTPS.
Since the SSL/TLS is performed before you make the request, it will be encrypted over the network.