In this tutorial, we're going to investigate authentication with the WordPress REST API.
By default, the WordPress REST API has some open endpoints and some cookie authentication endpoints.
The main rule of thumb is GET methods such as posts/pages/users are open methods but POST or PUT methods to create new users, for example, are closed methods and require the user to be logged in.
I'm a great believer in the WordPress REST API being locked down by default and can be turned on to the way it currently is with an admin area setting. This is why I always turn off the REST API for everybody unless they are authorized. Visit the following link to disable the REST API. Disable REST API
There is generally 3 options when authenticating your WordPress REST API:
- Cookie authentication
- OAuth authentication
- Basic authentication
My favourite approach to authentication is the OAuth as it's generally more secure than the other methods and you have more control over the apps that have access to your API.
This is the default authentication that comes with WordPress when you log in to the dashboard WordPress will set a cookie on your machine so that it knows you can access the admin area. The REST will use this with nonces to allow you to authorize requests to the API.
A simple solution to authentication is to use Basic authentication that means third party clients to need to mock a login to the WordPress site by passing in the Username and Password into the headers of the API HTTP request.
$headers = array (
'Authorization' => 'Basic ' . base64_encode( 'admin' . ':' . '12345' ),
This authorization needs to be done on every request made to the API and will require you storing the username and password in the external client.
http://website.com/wp-json this will provide you with a list of the new endpoints.
To create an application for your REST API you can either use the GUI in the admin area or if you use WP-CLI you can use the command
wp oauth1 add --name=<consumer_name> --description=<consumer_description>
When a client is created you will be given the client key and the client secret codes that you need to give these to the third party client. From these codes, you'll be able to create the OAuth token to get access to the API. To get temp OAuth access you need to request access to the request endpoint passing in the client key and client secret. I use the application Postman to make it easy to HTTP requests, under the authorization tab on Postman you're able to select OAuth 1.0 from here you can make a request and pass in the client key and secret. Enter this information and make a POST call to the request endpoint
http://website.com/oauth1/request The response of this endpoint will return the
oauth_token and the
oauth_token_secret. You can now take these values and navigate in your browser to the authorize endpoint passing these in as a querystring.
This will ask you to verify the user you are connecting to, if the information is correct click on the Authorize button, you will then be redirected to a page with the verification token. You will then take this verification code, the short-term OAuth code and secret and POST to
The return of this endpoint will provide you with the long-term oauth_token and oauth_token_secret
Now you can make your first request to the endpoint using OAuth 1.0 with your: - Client key
- Client Secret
- OAuth token
- OAuth secret