WP OAuth Server (OAuth Authentication)
Adds Authentication through OAuth 2. Provides the ability for Single Sign On for websites & Mobile Applications.
3.8(41 reviews)
·3.0K+ active installs·Updated 2 months agoAs of April 2026, WP OAuth Server (OAuth Authentication) is a WordPress oauth plugin with 3.0K+ active installations and a 3.8/5 rating from 41 reviews. It has been downloaded 174K+ times in total. Requires WordPress 4.7.2+ and PHP 7.4+. Available on WordPress.org since 2013. Recently updated within the last 3 months. Downloads are up 14% this week. Top alternative: JWT Authentication for WP REST API.
3.8/541 reviews
3.0K+active installs
174K+total downloads
13 yearssince 2013
Overview
Connect your app to WordPress or use SSO to connect multiple websites with the same username and passwords. No 3rd party servers are needed with WP OAuth Server. Everything you need is in this plugin.
Features
- WP REST API Authentication. Provides ability to make authorized calls to protected REST API endpoints.
- WP REST API Lock Down. Prevent any calls to the REST API unless authorized
- Unlimited OAuth 2.0 Clients
- Support for Implicit Flow
- Built-In Resource Server
- Automated Authorization Flow (User does not have to see authorization screen)
- Easily Extend/ Modify the Endpoints
- OAuth 2.0 PKCE
- Modern and Legacy JWT authorization support. OAuth 2.0 JSON Web Token Support
Supported Grant Types
- Authentication Code w/Implicit
- User Credentials (Pro)
- Client Credentials (Pro)
- Refresh Token (Pro)
- …
Ratings & Reviews
3.841 reviews
5 ★
25
4 ★
3
3 ★
2
2 ★
1
1 ★
10
Recent Reviews
Serious security flaw — tokens remain valid after logout
by Jonathan Afranio·7 months ago
I tested WP OAuth Server (OAuth Authentication) in integration with a client application and found a serious issue: even after the user logs out from WordPress, the issued access token is still accepted by the /oauth/me endpoint, returning all user data.
This means any client application that has stored the token can continue accessing private information indefinitely, until the token expires, without verifying if the session on the server has ended.
I tried to work around the issue by enabling the introspection endpoint and validating the token on each request, but the plugin does not revoke the token on logout, making introspection ineffective for detecting logouts.
This flaw breaks a basic security principle of OAuth 2.0 and may expose sensitive data. I do not recommend using this plugin until token revocation upon logout is implemented.
Abandoned plugin
by Vic·1 year ago
It looks like the plugin is abandoned. Moreover, I bought a Pro version but it doesn’t work and nobody replies via the support email. I can’t even access my license key because the password restore doesn’t work on their website.
DO NOT use this plugin!
This plugin is really fantastic
by Northern Beaches Websites·2 years ago
I just want to say thank you to the developer, you have done a great job and saved me a tonne of time 🙂
Clear and easy
by robegb·2 years ago
Just what I expected, thanks!
WP OAuth Server Client
by uusr·2 years ago
Gives an error while logging in “Missing required parameter: scope”
Download Trends
Today: 41Yesterday: 76This week: 310Period total: 16K
Compatibility
| WordPress | 4.7.2+ requiredTested up to 6.9.0 |
| PHP | 7.4+ required |
Version Adoption
v4.5
41.4%
v4.4
35.6%
Other
10.2%
v4.3
7.6%
v4.2
5.1%
Top Alternatives to WP OAuth Server (OAuth Authentication)
Frequently Asked Questions
Changelog
4.5.0
- Security Update: A patch has been added to protect the private key during certain server configurations. Updating is highly recommended.
- Added a new admin notice for permalink setting recommendations.
- Updated with WP 6.9 and up to PHP 8.5.0.
Contributors
Plugin data sourced from WordPress.org. Analysis and metrics by PluginSift.