> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wcr.is/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication on WeCareRemote

> WeCareRemote uses JWT tokens to secure the AI assistant, blog, and API. Learn how login works and how your token controls what you can access.

WeCareRemote uses JWT (JSON Web Token) authentication to secure access to all features — the AI assistant, blog, and API calls. When you log in, you receive a token that proves your identity and travels with every request you make, so WeCareRemote knows who you are and what you are allowed to do.

## Why JWT?

JWT tokens are well-suited to a platform like WeCareRemote because they are:

* **Self-contained.** Each token carries your identity and role, so the AI assistant, blog, and video system can verify you without calling back to a central database on every request.
* **Stateless.** The platform does not have to track sessions server-side, which keeps things fast and simple.
* **Portable.** The same token works across every WeCareRemote component, which is why one login unlocks everything.
* **Tamper-evident.** Tokens are cryptographically signed, so any modification invalidates them.

## Logging in

You can log in to WeCareRemote through the platform's dedicated login page or from any WordPress page that embeds the login form.

<Steps>
  <Step title="Go to the login page">
    Visit [blog.wcr.is/test-1](https://blog.wcr.is/test-1/) or open any page that uses the `[wcr_login_form]` shortcode.
  </Step>

  <Step title="Enter your credentials">
    Type your email address and password, then submit the form.
  </Step>

  <Step title="Receive your role assignment">
    After a successful login, WeCareRemote assigns you a role — either `blog` (refugee user) or `org_admin` (NGO administrator). Your role controls which features and content you can access across the platform.
  </Step>
</Steps>

## Token-based API access

The WeCareRemote AI assistant API requires a Bearer token on every request. Once you have your JWT token, include it in the `Authorization` header:

```http theme={null}
Authorization: Bearer <your-token>
```

For full details on obtaining your token and making authenticated requests, see [JWT tokens](/authentication/jwt-auth).

## Your user profile

After you log in, your profile is encoded in your JWT token. When the token is verified, WeCareRemote returns the following fields:

| Field               | Description                                |
| ------------------- | ------------------------------------------ |
| `id`                | Your unique user identifier                |
| `username`          | Your login username                        |
| `name`              | Your display name                          |
| `email`             | Your email address                         |
| `permissions`       | An array of roles assigned to your account |
| `organization.name` | The name of your associated organization   |

## Session lifecycle

A WeCareRemote session goes through three phases:

1. **Login** — you submit credentials, the platform validates them, and issues a JWT.
2. **Active session** — the token is attached to every request you make, either via cookies (in the browser) or the `Authorization` header (in API calls).
3. **Expiry or logout** — once the token expires or you log out, you must log in again to receive a new token. Tokens cannot be refreshed indefinitely.

If you stay active on the platform, you typically will not notice token expiry. If you walk away for an extended period and return, you may be prompted to log in again.

## Security best practices

* **Never share your token.** Treat your JWT like a password — anyone with the token can act as you until it expires.
* **Use HTTPS only.** All WeCareRemote endpoints are served over HTTPS. Do not call them over plain HTTP.
* **Store tokens in environment variables** when using them in scripts or applications. Do not commit them to version control.
* **Log out from shared devices** to invalidate your browser session.
* **Report compromised credentials immediately** to your NGO administrator so they can rotate them.

<CardGroup cols={2}>
  <Card title="JWT tokens" icon="key" href="/authentication/jwt-auth">
    Learn how to obtain your token and use it in API requests.
  </Card>

  <Card title="User roles" icon="users" href="/authentication/user-roles">
    Understand the difference between refugee user and NGO admin access.
  </Card>
</CardGroup>
