I’ve created a reduced test case that demonstrates that what you want to do is achievable:
add_action(
'rest_api_init',
function() {
register_rest_route(
'wpse/343039',
'route',
[
'methods' => [ 'POST' ],
'permission_callback' => function( WP_REST_Request $request ) {
if ( '1' == $request->get_param( 'param' ) ) {
return true;
} else {
return false;
}
},
'callback' => function( WP_REST_Request $request ) {
return rest_ensure_response( '1' );
},
]
);
}
);
With this rest route, if I send a POST request to:
https://example.com/wp-json/wpse/343039/route
I will receive a 401
response unless I pass param
with the value of 1
in the request body:
{
"param": 1
}
It can also be passed as form data. If I do pass that parameter, then I see 1
in the response, as expected.
The proper way to return a 401
from a REST endpoint is to return false
from the permission_callback
function, and as I’ve demonstrated, you have full access to the request in the callback, so long as you accept it as an argument.