Screenshot New Years Sale Get the "ALL ACCESS PASS" and Save $349. Unlimited Licenses.
Show All Access Pass

WP REST API Authentication

Published: November 25, 2018 | Updated: January 3rd, 2020
  1. Home
  2. Docs
  3. General
  4. WP REST API Authentication

Overview

The REST API for WordPress has public and protected endpoints. By default, protected endpoints require a user to be authenticated and WordPress only supports cookie-based authentication. Using WP OAuth Server, protected endpoints can be accessed using an access token via OAuth2.

Generating an Access Token

In order to obtain an access token, you will have to decide what grant type your application can use. You can view the variety of grant types available with WP OAuth Server at https://wp-oauth.com/docs/general/grant-types/. All grant types will provide a valid access token required to make an authenticated request to the REST API.

How to make an authenticated request to the WP REST API

Authorizing for the WordPress REST API can be done through header authentication. This request is very similar to basic authentication. The WP OAuth Server plugin adds Bearer Token Authentication support to the WP REST API. Simply pass an access token in the header as a Bearer Token during any request to the REST API.

If the access token is valid, the requests will be authenticated.

Bearer: 123456789abcdefg

The authorization works by using the current_user_can function to check for capabilities. When an authorization header is sent, the system applies the correct user and their capabilities to the request as if they are logged in.

Icon