WP REST API Bearer Token Authentication

Documentation under "How To" for WP OAuth Server


In some cases, you may feel more comfortable using a Bearer Token for Authorization. Sending an access token as a Bearer Token is useful when you want to conceal the access token in a request header instead of presenting sending it to in the body or request. Sending a bearer token is simple, and if you are familiar with basic authorization, then bearer token will make a lot of sense. To send a bearer token for permission against a protected resource send only one Authorization header in the following format:

Authorization: Bearer pwwbkvv7abqzonnvztpea91ich7vprwdorbt4w4m

When you send a bearer token, you can not send any other authorization header. OAuth2 specification state that only one authorization header can be used. If more than one authorization header is presented at the same time,  a 400 Bad Request may be returned.

PHP Curl Example of authenticating using a bearer token

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "http://wordpress.dev/wp-json/wp/v2/posts/1178/revisions/",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "GET",
  CURLOPT_HTTPHEADER => array(
    "authorization: Bearer pwwbkvv7abqzonnvztpea91ich7vprwdorbt4w4m",
    "cache-control: no-cache"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

jQuery AJAX Example of authenticating using a bearer token

var access_token = 'pwwbkvv7abqzonnvztpea91ich7vprwdorbt4w4m';
jQuery.ajax( {
    url: 'https://{your-server-url}/me/',
    type: 'POST',
    data: { content: 'testing testing' },
    beforeSend : function( xhr ) {
        xhr.setRequestHeader( 'Authorization', 'BEARER ' + access_token );
    },
    success: function( response ) {
        // response
    }
} );