JWT Authentication

SwiftPanda16 · October 1, 2025, 3:40pm

Thanks @marcelopazzo, this answers my original question regarding the need for a legacy Plex token.

However, I am unable to get the Plex JWT from the last step.

After the user signs in to the Plex login page (from the auth url), I query the pin endpoint with my signed device JWT, but there is no Plex JWT in the response.

Thanks, @BigWheel edited the tags for me.

marcelopazzo · October 1, 2025, 6:05pm

Did you get any error, or just a plain legacy token in the authToken field? If any fields are missing in the device JWT provided, the endpoint should return an error message with the details.

SwiftPanda16 · October 1, 2025, 7:06pm

I kept getting a legacy token in the authToken field.

After more fiddling around, I think I found the problem. The pin endpoint

GET https://clients.plex.tv/api/v2/pins/<pinID>?deviceJWT=<signedJWT>

does not work with a JSON response. As soon as I remove the Accept: application/json header and use the XML response it is working and I get the Plex JWT in the authToken field.

Second question, does this Plex JWT authentication method work with the 4 digit code method used at https://plex.tv/link (i.e. without strong=true) instead of using the auth URL?

marcelopazzo · October 2, 2025, 12:47am

Should work the same, it’s meant to allow anything, including TV apps, to use JWT tokens.

I’ll review the endpoint to see what’s going on with the json response. Thanks for finding that out!

SwiftPanda16 · October 2, 2025, 2:07am

Using the 4 digit code also just returns a legacy token (using either JSON or XML responses).

marcelopazzo · October 8, 2025, 8:21pm

Sorry for the delay in getting back to you, but with a 4-digit code, you will need to use the http://plex.tv/link interface instead of the /auth page. Is there any scenario where we need to use a short pin on the /auth interface?

SwiftPanda16 · October 8, 2025, 8:30pm

I am entering the 4-digit code on https://plex.tv/link.

SwiftPanda16 · October 8, 2025, 9:40pm

I think everything is actually working properly. Both XML and JSON and both OAuth or 4-digit code.

I needed to generate a completely new client identifier and keypair to properly do a clean test of each method. Trying to reuse the same client identifier or keypair when swapping between XML and JSON or between OAuth and 4-digit code causes issues.

acod92 · November 17, 2025, 5:04pm

Any plans to actually implement API level keys? similar to how other platforms do it? for example, currently in WatchState which is a tool that allow plex server owner to sync their user play state rely on admin token to generate sub tokens for users which has access to plex server.

Ideally, there will be API keys that could be used with tools and users are identified by their IDs and their data accessed that way.

Plex currently has:

1- main user

2- home users

3- users whom have access to the server

generating keys and tokens and trying to keep all of those in sync is rather difficult. Also,

Also i am not sure if this is the case, but users who has access to the server who aren’t home users, are supposed to be different account yeah? if so isn’t uploading pubkey to their account kind expose them to more security issues?

currently tokens are tied to the server not an account afaik

Topic		Replies	Views
[How To] Request a X-Plex-Token token for your app Dev/API Corner other-dev	107	41943	December 24, 2020
Authenticating with Plex Dev/API Corner other-third-party , other-dev	1	56193	July 1, 2020
Html Api use with Plex Home Dev/API Corner other-dev	4	95	December 21, 2019
How to get a transient token from the server Dev/API Corner other-dev	15	1039	January 8, 2020
Using Plex PIN with my custom app General Discussions	3	154	January 7, 2020

JWT Authentication

Related topics