FAQ
Where do I find the JWT secret?
Define OMOBILE_JWT_SECRET in wp-config.php. If it isn't defined, OMobile generates one and stores it in options. The wp-config constant always wins so deployments don't accidentally rotate the secret mid-session.
Can the app run without a logged-in user?
Yes. /config, /flags, /app-version, and /announcements are unauthenticated. Only routes that need a user (telemetry tied to user, content health) require a Bearer access token.
How big can the telemetry table get?
Raw events stay in omobile_telemetry. A WP-Cron job rolls them up daily into omobile_telemetry_rollup and trims the raw table per the retention setting in Settings.
What if I rotate the JWT secret?
All outstanding access and refresh tokens become invalid. Clients re-login automatically on the next 401 if your app handles it that way.
Do I need a CDN for push payloads?
No. OMobile speaks to FCM, APNS, and Expo from the WordPress server. Network egress from the host is the only requirement.
Can I use API keys instead of JWT?
API keys are for server-to-server traffic (your CI, a backend job) and grant the equivalent of manage_options. End-user mobile sessions should always use JWT.