Why JWT?
JWT tokens are well-suited to a platform like WeCareRemote because they are:- Self-contained. Each token carries your identity and role, so the AI assistant, blog, and video system can verify you without calling back to a central database on every request.
- Stateless. The platform does not have to track sessions server-side, which keeps things fast and simple.
- Portable. The same token works across every WeCareRemote component, which is why one login unlocks everything.
- Tamper-evident. Tokens are cryptographically signed, so any modification invalidates them.
Logging in
You can log in to WeCareRemote through the platform’s dedicated login page or from any WordPress page that embeds the login form.Go to the login page
Visit blog.wcr.is/test-1 or open any page that uses the
[wcr_login_form] shortcode.Token-based API access
The WeCareRemote AI assistant API requires a Bearer token on every request. Once you have your JWT token, include it in theAuthorization header:
Your user profile
After you log in, your profile is encoded in your JWT token. When the token is verified, WeCareRemote returns the following fields:| Field | Description |
|---|---|
id | Your unique user identifier |
username | Your login username |
name | Your display name |
email | Your email address |
permissions | An array of roles assigned to your account |
organization.name | The name of your associated organization |
Session lifecycle
A WeCareRemote session goes through three phases:- Login — you submit credentials, the platform validates them, and issues a JWT.
- Active session — the token is attached to every request you make, either via cookies (in the browser) or the
Authorizationheader (in API calls). - Expiry or logout — once the token expires or you log out, you must log in again to receive a new token. Tokens cannot be refreshed indefinitely.
Security best practices
- Never share your token. Treat your JWT like a password — anyone with the token can act as you until it expires.
- Use HTTPS only. All WeCareRemote endpoints are served over HTTPS. Do not call them over plain HTTP.
- Store tokens in environment variables when using them in scripts or applications. Do not commit them to version control.
- Log out from shared devices to invalidate your browser session.
- Report compromised credentials immediately to your NGO administrator so they can rotate them.
JWT tokens
Learn how to obtain your token and use it in API requests.
User roles
Understand the difference between refugee user and NGO admin access.