> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wcr.is/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate API requests with JWT tokens

> Learn how to obtain your WeCareRemote JWT token, pass it in API request headers, verify it, and handle token expiry and authentication errors.

WeCareRemote uses JSON Web Tokens (JWTs) to authenticate API requests. A JWT is a compact, self-contained token that encodes your user identity and permissions. Every time you call a protected endpoint — such as the AI assistant API — you include this token in your request header so WeCareRemote can verify who you are without requiring you to log in again.

A JWT has three parts joined by dots: `header.payload.signature`. The header describes the signing algorithm, the payload contains your identity and permissions, and the signature proves the token was issued by WeCareRemote and has not been altered. You do not need to construct tokens yourself — WeCareRemote issues them for you at login.

## Obtaining a token

Your JWT token is issued automatically when you log in through the WeCareRemote platform.

<Steps>
  <Step title="Log in to WeCareRemote">
    Sign in at [wcr.is/home](https://wcr.is/home) using your email and password.
  </Step>

  <Step title="Receive your token">
    On successful login, WeCareRemote issues a JWT token. The token encodes your user identity, role, and permissions.
  </Step>

  <Step title="Copy your token">
    Retrieve your token from the login response to use in API requests. You can also request it directly from the token endpoint shown below.
  </Step>
</Steps>

## Using your token in API requests

To fetch your JWT token directly, call the token endpoint:

```http theme={null}
GET /api/v1/wordpress_auth/jwt_token
Host: getme.global
```

The response returns your token:

```json theme={null}
{
  "success": true,
  "jwt_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
```

Pass the token in the `Authorization` header on every API request:

```http theme={null}
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
```

<Tip>
  The AI assistant API also uses Bearer token authentication. Use the same JWT token in the `Authorization` header when calling the AI assistant endpoints.
</Tip>

## Verifying your token

You can verify that your token is valid at any time by calling the verification endpoint.

**Endpoint:** `POST https://getme.global/api/v1/wordpress_auth/verify_jwt_token`

**Request body:**

```json theme={null}
{
  "token": "<your-jwt>"
}
```

**Successful response:**

A valid token returns your full user profile:

```json theme={null}
{
  "success": true,
  "user": {
    "id": 42,
    "username": "jane.doe",
    "name": "Jane Doe",
    "email": "jane@example.org",
    "permissions": ["org_admin"],
    "organization": {
      "name": "Helping Hands NGO"
    }
  }
}
```

The `permissions` array contains your assigned role — either `["blog"]` for refugee users or `["org_admin"]` for NGO administrators. See [user roles](/authentication/user-roles) for details on what each role can access.

## Token expiry and errors

<Warning>
  JWT tokens expire after a set period. If your token has expired, API requests will return a `401 Unauthorized` error. Log in again at [wcr.is/home](https://wcr.is/home) to receive a new token.
</Warning>

Common authentication errors:

| Status             | Meaning                                                                                      |
| ------------------ | -------------------------------------------------------------------------------------------- |
| `401 Unauthorized` | Your token is missing, malformed, or expired. Re-authenticate to get a fresh token.          |
| `403 Forbidden`    | Your token is valid but your role does not have permission to access the requested resource. |
