Skip to main content
WeCareRemote uses JWT (JSON Web Token) authentication to secure access to all features — the AI assistant, blog, and API calls. When you log in, you receive a token that proves your identity and travels with every request you make, so WeCareRemote knows who you are and what you are allowed to do.

Why JWT?

JWT tokens are well-suited to a platform like WeCareRemote because they are:
  • Self-contained. Each token carries your identity and role, so the AI assistant, blog, and video system can verify you without calling back to a central database on every request.
  • Stateless. The platform does not have to track sessions server-side, which keeps things fast and simple.
  • Portable. The same token works across every WeCareRemote component, which is why one login unlocks everything.
  • Tamper-evident. Tokens are cryptographically signed, so any modification invalidates them.

Logging in

You can log in to WeCareRemote through the platform’s dedicated login page or from any WordPress page that embeds the login form.
1

Go to the login page

Visit blog.wcr.is/test-1 or open any page that uses the [wcr_login_form] shortcode.
2

Enter your credentials

Type your email address and password, then submit the form.
3

Receive your role assignment

After a successful login, WeCareRemote assigns you a role — either blog (refugee user) or org_admin (NGO administrator). Your role controls which features and content you can access across the platform.

Token-based API access

The WeCareRemote AI assistant API requires a Bearer token on every request. Once you have your JWT token, include it in the Authorization header:
Authorization: Bearer <your-token>
For full details on obtaining your token and making authenticated requests, see JWT tokens.

Your user profile

After you log in, your profile is encoded in your JWT token. When the token is verified, WeCareRemote returns the following fields:
FieldDescription
idYour unique user identifier
usernameYour login username
nameYour display name
emailYour email address
permissionsAn array of roles assigned to your account
organization.nameThe name of your associated organization

Session lifecycle

A WeCareRemote session goes through three phases:
  1. Login — you submit credentials, the platform validates them, and issues a JWT.
  2. Active session — the token is attached to every request you make, either via cookies (in the browser) or the Authorization header (in API calls).
  3. Expiry or logout — once the token expires or you log out, you must log in again to receive a new token. Tokens cannot be refreshed indefinitely.
If you stay active on the platform, you typically will not notice token expiry. If you walk away for an extended period and return, you may be prompted to log in again.

Security best practices

  • Never share your token. Treat your JWT like a password — anyone with the token can act as you until it expires.
  • Use HTTPS only. All WeCareRemote endpoints are served over HTTPS. Do not call them over plain HTTP.
  • Store tokens in environment variables when using them in scripts or applications. Do not commit them to version control.
  • Log out from shared devices to invalidate your browser session.
  • Report compromised credentials immediately to your NGO administrator so they can rotate them.

JWT tokens

Learn how to obtain your token and use it in API requests.

User roles

Understand the difference between refugee user and NGO admin access.