JWT Flow
OMobile uses HS256 JWTs (pure PHP, no external library).
- Access tokens: 15-minute expiry
- Refresh tokens: 30-day expiry, rotate on each use
Login
POST /wp-json/omobile/v1/auth/login
Content-Type: application/json
X-Om-Install-Id: <your-device-uuid>
{
"username": "user@example.com",
"password": "secret"
}Response:
json{
"access_token": "eyJ…",
"refresh_token": "eyJ…",
"user": { "id": 1, "display_name": "Jane Doe", "email": "user@example.com" }
}
Authenticated Requests
Authorization: Bearer <access_token>
X-Om-Install-Id: <your-device-uuid>Token Refresh
POST /wp-json/omobile/v1/auth/refresh
{ "refresh_token": "eyJ…" }Refresh Token Reuse Detection
- Each refresh issues a new token and invalidates the old one
- 30-second reuse window to tolerate race conditions
- If a token is reused outside the window: entire session chain is revoked immediately
Login Throttling
5 failures per identifier → locked for 15 minutes. Implemented with WordPress transients; events logged to omobile_login_attempts table.
API Keys
Format: omk_ + 40 hex chars. Only the SHA-256 hash and first 8 chars are stored — the raw key is never persisted. Use in Authorization: Bearer omk_… header.