Yes, the nonce is by default always being sent via the X-WP-Nonce
header – see the source here and here on GitHub.
wp.api.WPApiBaseModel.prototype.sync
and wp.api.WPApiBaseCollection.prototype.sync
can technically be extended or modified, but I would instead disable the nonce header like so, i.e. using <Collection or Model object>.endpointModel
:
-
Collection example:
const Posts = new wp.api.collections.Posts(); // Remove the nonce to disable the X-WP-Nonce header. Posts.endpointModel.set( 'nonce', '' ); //Posts.endpointModel.unset( 'nonce' ); // This also works. Posts.fetch( { data: { per_page: 2 }, } ).done( data => console.log( data ) );
-
Model example:
const Post = new wp.api.models.Post( { id: 1 } ); // Remove the nonce to disable the X-WP-Nonce header. Post.endpointModel.set( 'nonce', '' ); //Post.endpointModel.unset( 'nonce' ); // This also works. Post.fetch().done( data => console.log( data ) );