Authenticating with REST API

You don’t need plugins for authentication unless you’re making a cross domain request, and to get the nonce, you just create it as you would any other nonce.

As the handbook states:

For developers making manual Ajax requests, the nonce will need to be passed with each request. The API uses nonces with the action set to wp_rest. These can then be passed to the API via the _wpnonce data parameter (either POST data or in the query for GET requests), or via the X-WP-Nonce header. If no nonce is provided the API will set the current user to 0, turning the request into an unauthenticated request, even if you’re logged into WordPress.

So lets do that:

$nonce = wp_create_nonce( 'wp_rest' );

There’s nothing special about how the nonce gets created, it’s created the same way as every other nonce in WordPress. You would use the same function to put nonces on your action buttons and in your forms to improve security.

Now we just put it in our doc in a way javascript can access it. Luckily the handbook gives us a working code example:

https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/

<?php
wp_localize_script( 'wp-api', 'wpApiSettings', array(
    'root' => esc_url_raw( rest_url() ),
    'nonce' => wp_create_nonce( 'wp_rest' )
) );

Followed by a working example of using the nonce in jQuery for an authenticated POST request:

$.ajax( {
    url: wpApiSettings.root + 'wp/v2/posts/1',
    method: 'POST',
    beforeSend: function ( xhr ) {
        xhr.setRequestHeader( 'X-WP-Nonce', wpApiSettings.nonce );
    },
    data:{
        'title' : 'Hello Moon'
    }
} ).done( function ( response ) {
    console.log( response );
} );

If you enqueue the built in backbone based REST library, it will automatically generate the nonce using the same code above.

This will work when combined with a cookie for a logged in user, however, it will not work for requests across domains.

If you’re trying to make a REST API request from another website, a CLI app, mobile app, a Node application, etc etc you will need a custom authentication plugin. You will need to consult with their documentation and support avenues though as 3rd party plugin dev support is offtopic on this stack

Related Posts:

  1. How to: Make JWT-authenticated requests to the WordPress API
  2. WordPress Rest API: How do we validate with our custom API key?
  3. How to Authenticate WP REST API with JWT Authentication using Fetch API
  4. authentication issue with rest api – rest_cannot_create
  5. Can I authenticate with both WooCommerce consumer key and JWT?
  6. WP REST API: check if user is logged in
  7. How to login to WordPress site using basic authentication HTTP headers?
  8. Can we access the REST request parameters from within the permission_callback to enforce a 401 by returning false?
  9. WordPress REST API “rest_authentication_errors” doesn’t work external queries?
  10. Can’t GET draft posts via REST API from headless frontend
  11. Create Session with JWT
  12. WP REST API GET Requests require authentication
  13. current_user_can(‘administrator’) returns false when I’m logged in
  14. Make authorization mandatory on custom routes
  15. WP REST API – Nonce passes wp_verify_nonce even after logout
  16. How to force JWT auth for default GET endpoints of WordPress rest api?
  17. REST API: best place to set current user for JWT auth?
  18. WordPress + REST API v2 and private pages Load by slug
  19. REST API authentication for a plugin
  20. PHP: authenticate for a REST request?
  21. Rest API basic auth not working
  22. Authenticate current user to REST API
  23. Rest API: wp_verify_nonce() fails despite receiving correct nonce value
  24. Getting 401 from ajax using an application password
  25. How to connect android app with WordPress website?
  26. WordPress REST API calls that depend on the WordPress User
  27. WordPress HTTP API NTLM Authentication
  28. Advanced Access Manager: RESTful endpoint to refresh token
  29. Best Authetication between REST API and Mobile App
  30. Log in user using WordPress REST API
  31. Secure WordPress API, how?
  32. wp_nonce vs jwt
  33. register/login api
  34. How can I secure my custom rest api endpoint or add under a already existing rest group
  35. Register rest field authentication with REST API
  36. REST API Integration without user account?
  37. WP REST API with Basic Auth at target website
  38. Cant POST with REST API on WordPress
  39. REST API – Authentication/Logon security
  40. custom REST endpoints and application passwords
  41. wordpress rest api authentication failed
  42. Does something like is_rest() exist
  43. WP REST API — How to change HTTP Response status code?
  44. Search WP API using the post title
  45. Understanding SHORTINIT with WordPress 5
  46. Filter post_content before loading in Gutenberg editor
  47. rest_post_query on multiple post types?
  48. Wp Rest Api Custom Endpoint for page subpages
  49. Limit REST API output to current logged in user that is also author of the content
  50. WP REST API returns incorrect data?
  51. Is it posible to use wp.data.select(‘core’) outside a block?
  52. how to send Ajax request in wordpress backend
  53. Can you Use the Rest API to query a custom database table
  54. Is there anyway to format my EndPoint URL in WordPress?
  55. Return WP_Error as WP_REST_Response
  56. Why the Path is different with the one coded in rest
  57. how to avoid timeouts with remote API requests?
  58. Blocks Rest API rest_cannot_delete
  59. rest_api_init is run on every rest call to endpoint
  60. WP-REST create user with custom meta
  61. receive a custom parameter with rest api
  62. If I use WordPress REST API V2 and someone makes an app using it. Will my site count the posts views from the APP? And if not, then how?
  63. How to store and return json in a (custom) post meta field
  64. Sorry, you are not allowed to list users
  65. Get a remote post ID via API given URL
  66. Core function to check if a rest namespace exists
  67. How to change the date and time in REST API for comments?
  68. Rest API V2 custom post type. I only need the title and link
  69. Retriving all users with REST API not working
  70. Is there a way to download only the Rest API part of WordPress?
  71. Custom WP API endpoint NULL body data
  72. What is an endpoint for custom post type comments in REST API?
  73. How would I know if my system using REST api or not?
  74. How to display relations via wordpress Rest API
  75. How to verify which WordPress user requested the API in ASP .NET Core?
  76. WP Rest_API- Post request for images returns empty
  77. DELETE request using WP REST API
  78. Fetching WordPress Private Posts, Public Posts Via Default REST API Endpoint
  79. Got Blank issue for get data from /wp-json/v2/post
  80. How do i POST to WordPress rest API from the same domain?
  81. WP API file_get_contents return TTP request failed! HTTP/1.1 401 Unauthorized
  82. Not able to delete media by REST API
  83. Need to get user data via API
  84. REST API retrieving posts from www.sitename.com/category/news/ instead of just just from www.sitename.com
  85. REST API get featured image source for custom post type
  86. Custom rest API route not passing data along
  87. How to filter wp-json/wp/v2/users response on custom metas?
  88. Paid membership Pro Rest API
  89. wp_query json ouput
  90. GET request for media files in WP REST API 2 results in an empty array
  91. Fatal error: Call to undefined function register_rest_route()
  92. API wp-json/wp/v2/pages/ returns a different result if page is specified
  93. Update post / page using API + python
  94. Social login authentication via wordpress rest api
  95. Calling a Rest API with parameters on button Click
  96. WordPress json – How to use the content rendered from json
  97. Subscriber role cann’t add comment meta using REST API
  98. WordPress REST API function not calling from external site
  99. Issue with API after 6.2 update
  100. Verify user login and password over api