diff --git a/class-auth.php b/class-auth.php
index 204f3e1..a6c4d71 100644
--- a/class-auth.php
+++ b/class-auth.php
@@ -178,7 +178,22 @@ public function get_token( WP_REST_Request $request ) {
 			);
 		}
 
-		if ( isset( $_COOKIE['refresh_token'] ) ) {
+		if ( ( isset( $username ) && ! isset( $password ) )
+			|| ( ! isset( $username ) && isset( $password ) ) 
+			|| ! isset( $_COOKIE['refresh_token'] ) ) {
+			$user = new WP_Error(
+				'jwt_auth_missing_credentials',
+				__( 'Username and password are required', 'jwt-auth' ),
+				array(
+					'status' => 400,
+				)
+			);
+		}
+
+		if ( isset( $username ) && isset( $password ) ) {
+			$user = $this->authenticate_user( $username, $password, $custom_auth );
+		}
+		elseif ( isset( $_COOKIE['refresh_token'] ) ) {
 			$device  = $request->get_param( 'device' ) ?: '';
 			$user_id = $this->validate_refresh_token( $_COOKIE['refresh_token'], $device );
 
@@ -187,8 +202,16 @@ public function get_token( WP_REST_Request $request ) {
 				return $user_id;
 			}
 			$user = get_user_by( 'id', $user_id );
-		} else {
-			$user = $this->authenticate_user( $username, $password, $custom_auth );
+
+			if ( ! $user ) {
+				$user = new WP_Error(
+					'jwt_auth_invalid_refresh_token',
+					__( 'Invalid refresh token', 'jwt-auth' ),
+					array(
+						'status' => 401,
+					)
+				);
+			}
 		}
 
 		// If the authentication is failed return error response.
@@ -465,8 +488,8 @@ public function validate_token( $return_response = true ) {
 					array(
 						'success'    => false,
 						'statusCode' => 401,
-						'code'       => 'jwt_auth_user_not_found',
-						'message'    => __( "User doesn't exist", 'jwt-auth' ),
+						'code'       => 'jwt_auth_invalid_token',
+						'message'    => __( "Invalid token", 'jwt-auth' ),
 						'data'       => array(),
 					),
 					401
diff --git a/readme.txt b/readme.txt
index a11918f..55ef295 100644
--- a/readme.txt
+++ b/readme.txt
@@ -296,6 +296,18 @@ If the token is invalid an error will be returned. Here are some samples of erro
 }
 `
 
+= Missing Username and / or Password or Refresh Token =
+
+`
+{
+	"success": false,
+	"statusCode": 400,
+	"code": "jwt_auth_missing_credentials",
+	"message": "Username and password are required",
+	"data": []
+}
+`
+
 = User Not Found =
 
 `
@@ -803,6 +815,9 @@ You can help this plugin stay alive and maintained by giving **5 Stars** Rating/
 3. Other error responses
 
 == Changelog ==
+= 3.0.x =
+- Fix: Prioritise authentication with user credentials over refresh token if both are sent.
+
 = 3.0.2 =
 - Fix: Do not revalidate authentication headers if a valid user was determined already. (#75)
 - Fix: Added debugging timeframe before purging refresh tokens. (#93)