- Show advanced settings: This will show the plugin's and provider-specific advanced settings.
- Providers: The list of registered authentication providers. Providers with a green dot are enabled. Click the provider name to edit its settings.
- Provider Settings: The settings for the selected provider. The settings will vary depending on the provider, but usually include the following:
- Client label: The name of the Client that will be displayed to users.
- Client ID: The Client ID created by the provider.
- Client secret: The Client secret created by the provider.
- Redirect URI: The Redirect URI that the provider will send the authentication response to. This should be the URL of the Callback API route in your headless app.
- Login Settings: The provider-specific settings for provisioning a user. The settings will vary depending on the provider but usually include the following:
- Login existing users: If enabled, the plugin will attempt to login an existing WordPress user with the same email address as the Resource Owhener sent from the provider.
- Create new users: If enabled, the plugin will create a new WordPress user if the Resource Owner does not have an existing linked account (or one with the same email address if
Login existing users
is enabled). - Set authentication cookie: If enabled, the plugin will set a WordPress authentication cookie on successful login. This is useful if you want to use your headless app and WP Admin with the same user session.
- Plugin Settings: These settings are specific to the plugin and don't vary by provider:
- Regenerate JWT Secret: This will regenerate the JWT site secret used to authenticate the GraphQL requests. Changing the secret will invalidate all existing JWT tokens.
Note: You can also set the JWT secret with code using the
WPGRAPHQL_LOGIN_JWT_SECRET_KEY
constant or thegraphql_login_jwt_secret_key
filter - Delete plugin data on deactivate: If enabled, the plugin will delete all of its data when deactivated. This includes all of the plugin's settings including the client configurations. Note: The user meta will not be deleted.
- Regenerate JWT Secret: This will regenerate the JWT site secret used to authenticate the GraphQL requests. Changing the secret will invalidate all existing JWT tokens.
Note: You can also set the JWT secret with code using the
- Access Control Settings: These settings let you configure CORS headers, and tighten the security of GraphQl requests.
- Block Unauthorized Domains: If enabled, the plugin will block all requests from unauthorized domains. This is useful if you want to prevent unauthorized requests from making GraphQL requests.
- Add Access-Control-Allow-Credentials: If enabled, the plugin will add the
Access-Control-Allow-Credentials
header to GraphQL requests. This is useful if you want to allow authenticated requests from a different domain than the WordPress site URL. RequiresBlock Unauthorized Domains
to be enabled.
- Add Access-Control-Allow-Credentials: If enabled, the plugin will add the
- Add Site URL to Access-Control-Allow-Origin: If enabled, the plugin will add the WordPress site URL to the
Access-Control-Allow-Origin
header. - Additional Authorized Domains: A list of additional domains that will be allowed to make GraphQL requests. This is useful if you want to allow requests from a different domain than the WordPress site URL.
- Custom Headers: A list of custom headers that will be added to Access-Control-Allow-Headers. This is useful if your custom implementation requires additional headers.