How the WPLMS Authentication works.

The Version 4 comes with a JWT login system which means the authentication happens in a browser. Which means that when a page is loaded the WordPress is not aware of which user is accessing the page. Now, this means that the server will always render the page as a static and you will be able to host your sites 100% cached, or even static HTML pages.

The benefit of using JWT tokens is huge both in terms of Loading speed and scalability. The WPLMS can work as a part of your site without impacting the overall site performance. That is "Do not convert your entire site into an LMS instead chose only a specific part of your site to work as LMS". This is only possible if we migrate away from the WordPress cookie based authentication structure to a JWT based login system.

Generating the Token

The VibeBP plugin uses the function : vibebp_generate_token($user) for generating the token for the user. The $user is the a user object see below

    'id' => //ID of the WordPress user
    'username'=> // Login username of WordPress User
    'slug'=> // User nicename of WordPress User 
    'email'=>// User email of WordPress User 
    'avatar'=> // User Photo URL of WordPress User 
    'displayname'=> // User Display Name of WordPress User 
    'roles'=>  // WordPress user role, Accepts Array of roles []
    'caps'=> // WordPress user capability, Accepts Array of capabilities, edit_posts (instructors),manage_options(administrators), read (students)
    'profile_link'=> //the Profile link

There is further possibility to process the token using the filter and modify the user object stored in the token. For example, course data can be added to the token. However as JWT tokens are sometimes sent in request header, we recommend keeping the size to a limited less than 8kb.

Expanding the Token

In almost all addon / plugins that you will create you will be required to expand the JWT token sent in the API request. You can expand the JWT token can capture the User making the request. There are 2 ways to expand the token :

  1. Use the VibeBP Filter on the Token: $user = apply_filters('vibebp_api_get_user_from_token','',$body['token']);

  2. Use the vibebp_expand_token($token) function

Both above ways are correct. See following code snippet from our Vibe Zoom addon for expanding the token :

register_rest_route( VIBE_ZOOM_API_NAMESPACE, '/user/meetings/recordings', array(
    'methods'                   =>   'POST',
    'callback'                  =>  array( $this, 'get_meeting_recording' ),
    'permission_callback' => array( $this, 'user_permissions_check' ),
) );

function user_permissions_check($request){
    //Validate token send in Post request
    $body = json_decode($request->get_body(),true);
        global $wpdb;
        $this->user = apply_filters('vibebp_api_get_user_from_token','',$body['token']);
            return true;
    return false;

function get_meetings($request){
    global $wpdb,$bp;

    $args = json_decode($request->get_body(),true);
    $return = array(

    $meeting_args = array(
    //Capture the USer ID from the token.
    //Process using the user_id

The token also have an expiry value that the administrator sets in the WP admin - VibeBP - Settings - General.

This token is also used in Amazon S3 uploads in S3 plugin, Vimeo Uploads in VideoVibe Plugin.

Last updated