Using POSTMAN and WP REST API | WordPress OAuth Codex


Documentation under "How To" for WP OAuth Server

Postman is a REST API client that is used for mainly testing and building REST clients. POSTMAN allows you to easily test almost any API with little setup. In this article, I will explain how to connect to WP REST API while using an access token provided by WP OAuth Server.

Things we will need

Before we begin

This article is going to use the following ID and Secret. You will need to create your own client in WP OAuth Server in order for this to work. Client ID = 6lkmsGocFcvxVG4S5s3QCHGi5Pvutl8AHtXaalmP Client Secret = yRntyrmDTquw7bOd0kHuFQ5mj2wtnSjVKGpi8MW2

Obtaining an Access Token

Connecting Postman to your WordPress is the first step in gaining an access token.

  1. Set the method to “POST“.
  2. Enter your website URL along with “/oauth/token/“. Example:
  3. Click on the “Authorization” tab and selected “Basic Auth” from the drop-down.  Use the client id as the username and client secret as the password and click “Update Request“. This will add a header to the request. Alternatively, to sending a Basic Auth header, you can pass “client_id” and “client_secret” as body parameters.
  4. Click on the “Body” tab and choose “x-www-form-urlencoded” in the radio button selection.
  5. Add “grant_type” as key and “password” as the value.
  6. Add “username” as key and “your username for WP” as the value.
  7. Add “password” as key and “your password for the username in WP”.
  8. Click “Send“.

The return from WP OAuth Server will be JSON and include a response and a header code with 200 OK or 401 Unauthorized

Common Results

200 OK
    "access_token": "hc47cwtq93doxjs88o3ranb6xcoitqniqysg9peg",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "basic",
    "refresh_token": "mpzsqvseoxppm93qyahcfcwkbri0w71s4nxsclnz"
401 Unauthorized
  "error": "invalid_grant",
  "error_description": "Invalid username and password combination"
401 Unauthorized
    "error": "invalid_client",
    "error_description": "The client credentials are invalid"

If all goes well, Postman will display JSON that has been returned from the OAuth Server. The JSON contains an access token. In this walkthrough, we only want to access_token.

Make WP REST API request

If you are not sure how to use WP REST API, visit For this step, we will use a GET request for post revisions. This request requires that the user is authenticated in WP. Since we have the access_token for a user, we can use the access_token as a means of authentication. We will use the endpoint that WP REST API calls for to perform a request but we will also append the parameter “access_token” to the request. The value of the access token will be was we copied earlier from Postman. Appending the access_token parameter to any WP REST API call should authenticate the request and allow the request to be made.

GET /posts/{post id}/revisions?access_token=xxxxxx

Things to note

  • Gaining an access_token using Grant Type “Client Credentials” will not work. The access token MUST be assigned to a valid user in WP.
  • It seems like some have been having a hard time getting Postman to work as needed. I have provided an export for postman that will setup the basics using user credentials grant type. You can download it at the following link WP OAuth Request Postman Export.