How to block external access to register_rest_route callback?

When registering a route with register_rest_route() you can provide a permission_callback which is a function that checks whether the user has permission to use the endpoint. If only Administrator users should be able to use the endpoint then you can check for the manage_options capability in the callback, like this:

register_rest_route( 'myplugin/v1', 'update-rmp'', array(
    'permission_callback' => function () {
        return current_user_can( 'manage_options' );
) );

Note: Do not use wp/v2 as the namespace. That namespace is for endpoints registered by WordPress itself. Third party themes and plugins should use their own namespace.

To make your API request as a user with the required privileges, sign in as that user and go to Users > Profile and look for the Application Passwords section. Add a new application password and copy the result. You can now use this password from your application using Basic Authentication:


Just substitute USERNAME with your WordPress username, and PASSWORD with the application password.