The REST API for WordPress has public and protected endpoints. By default, protected endpoints require a user to be authenticated and WordPress only supports cookie-based authentication. Using WP OAuth Server, protected endpoints can be accessed using an access token via OAuth2.
Generating an Access Token
In order to obtain an access token, you will have to decide what grant type your application can use. You can view the variety of grant types available with WP OAuth Server at https://wp-oauth.com/docs/general/grant-types/. All grant types will provide a valid access token required to make an authenticated request to the REST API.
How to make an authenticated request to the WP REST API
Authorizing for the WordPress REST API can be done through header authentication. This request is very similar to basic authentication. The WP OAuth Server plugin adds Bearer Token Authentication support to the WP REST API. Simply pass an access token in the header as a Bearer Token during any request to the REST API.
If the access token is valid, the requests will be authenticated.
The authorization works by using the current_user_can function to check for capabilities. When an authorization header is sent, the system applies the correct user and their capabilities to the request as if they are logged in.