WordPress is creating nonce as a logged in user but verifying it incorrectly

This is happening because a separate nonce with the action wp_rest is not being sent by the server to the client and received back from the client in an HTTP request header called X-WP-Nonce with every REST request.

To get this working, you will have to generate a nonce like this:

wp_create_nonce('wp_rest')

…and provide it to the client making the rest call. Once your client has the nonce value, you need to add it to every REST request e.g.:

headers: {
    'X-WP-Nonce': nonce,
}

Creating the nonce on the server and accessing it on the client can be done several ways. Using wp_localize_script() is the most common and probably best practice for WordPress. wp_localize_script() addds a global variable to the client for a script to access. See https://developer.wordpress.org/reference/functions/wp_localize_script/.

Related Posts:

  1. AJAX call not initializing for non-admins in WordPress
  2. How to get a unique nonce for each Ajax request?
  3. Nonces and Cache
  4. Stop admin-ajax?
  5. Is it safe to assume that a nonce may be validated more than once?
  6. Multiple ajax nonce requests
  7. AJAX request on the frontend always returns 0 if user is not admin
  8. Using Nonces for AJAX that only retrieves data
  9. How to verify nonce from Bulk/Quick Edit in save_post?
  10. How can I get logged in user’s session data from admin-ajax?
  11. How to add WordPress nonces to ajax request
  12. Nonces and Ajax request to REST API and verification
  13. Ajax function returns -1
  14. Serving nonces through AJAX is not refreshing nonce, returning 403 error
  15. wp_verify_nonce always returns false when logged in as admin
  16. ajax and nonce when JavaScript is in a seperate file
  17. wp_verify_nonce doesn’t return true on server when it matches the nonce
  18. How to allow to user non logged in WP system upload in media library?
  19. AJAX requests broken due to HTTPS for wp-admin
  20. Check if username exist with AJAX
  21. Nonces, AJAX, script variables & security in WordPress
  22. Why does WordPress Heartbeat login not refresh the nonces?
  23. wp-admin AJAX with Fetch API is done without user
  24. How do I check if AJAX nonces are implemented correctly?
  25. How to check an ajax nonce in PHP
  26. Can a wp_nonce created from domain 1 to be verified on domain 2?
  27. Force redirect not logged in user to (wp-login.php or wp-admin) for specific page
  28. how to send Ajax request in wordpress backend
  29. Identical wp_rest nonce returned from rest_api
  30. WP Admin AJAX Security – using POST to include a relative URL
  31. wp_create_nonce() in REST API makes user->ID zero
  32. ajax nonce verification failing
  33. Plugin: AJAX query external API to sync to tables
  34. SSO autologin WordPress + Ajax
  35. Nonce fails on ajax save
  36. Ajax Request for both logged and non logged users
  37. Unable to successfully verify nonce
  38. Cache plugins and ajax nonce verification
  39. Nonce doesn’t validate in nopriv call
  40. Why does check_ajax_referer give a 403 error on https websites?
  41. javascript ajax and nonce
  42. How to check nonce lifetime value of plugins?
  43. Using nonce when loading posts with AJAX
  44. admin-ajax.php returns 0 even when the post status code is 200 OK
  45. Should wordpress nonce be placed in html form or in javascript file
  46. Add Server Side validation in Ajax mail form
  47. Can I use application/json content type in WordPress
  48. wp_verify_nonce not working on the mobile device
  49. How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?
  50. AJAX form not working, still reloads on submit
  51. Ajax Security regarding user priviliges and nonces
  52. How to use nonces for frontend AJAX voting if the page gets cached?
  53. admin ajax is not working for non logged in users
  54. WordPress wp_localize_script nonce and ajax URL
  55. How to stop a nonce from being cached in an inline script, or alternatives to regenerate it if expired?
  56. How do i set up ajax nonce
  57. nonce_user_logged_out to assign guests unique nonces breaks ajax calls
  58. Nonce verification problem when logging in after a logout
  59. PHP “php://input” vs $_POST
  60. Google Maps API throws “Uncaught ReferenceError: google is not defined” only when using AJAX
  61. Access-Control-Allow-Origin error sending a jQuery Post to Google API’s
  62. Access-Control-Allow-Origin error sending a jQuery Post to Google API’s
  63. How to solve the error “SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.” in IE
  64. Show spinner GIF during an $http request in AngularJS?
  65. Refresh HTML Page in Browser Automatically on Timer – Every 15 Min
  66. jQuery Form Validation before Ajax submit
  67. JavaScript implementation of Gzip
  68. jQuery: Performing synchronous AJAX requests
  69. ASP.NET MVC controller actions that return JSON or partial html
  70. jQuery’s .on() method combined with the submit event
  71. Ajax takes 10x as long as it should/could
  72. Admin Ajax is returning 0
  73. How to check if I am in admin-ajax.php?
  74. wp_verify_nonce vs check_admin_referer
  75. Best way to end WordPress ajax request and why?
  76. How to load wp_editor() through AJAX/jQuery
  77. Admin Page Redirect
  78. How does admin-ajax.php work?
  79. How to cache json with wp-super cache
  80. Load minimum WordPress environment
  81. Why use wp_send_json() over echo json_encode()?
  82. Why use admin-ajax.php and how does it work?
  83. Can I use the same nonce for multiple requests on the same page?
  84. Open a Thickbox with content trough AJAX
  85. Setting admin edit panels & metaboxes positions and visibility for ALL users and admins
  86. Initialize TinyMCE editor / visual editor after AJAX insert
  87. Showing User’s Post Counts by Custom Post Type in the Admin’s User List?
  88. Update post counts (published, draft, unattached) in admin interface
  89. Why not register shortcodes if is_admin dashboard?
  90. WordPress AJAX with Axios
  91. Why is die() used at the end of function that handles an Ajax request?
  92. Why might a plugin’s ‘do_shortcode’ not work in an AJAX request?
  93. Making my AJAX powered WordPress Crawlable
  94. Is there a JavaScript API? How to access public and private data in JS?
  95. Get Previous & Next posts by Post ID
  96. is_admin() returns true when using admin-ajax.php from front end script
  97. failed to load wp-admin/admin-ajax.php
  98. How to save dismissable notice state in WP 4.2?
  99. Using Backbone with the WordPress AJAX API
  100. Using Ajax with a Class file
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)