WordPress is creating nonce as a logged in user but verifying it incorrectly

This is happening because a separate nonce with the action wp_rest is not being sent by the server to the client and received back from the client in an HTTP request header called X-WP-Nonce with every REST request.

To get this working, you will have to generate a nonce like this:

wp_create_nonce('wp_rest')

…and provide it to the client making the rest call. Once your client has the nonce value, you need to add it to every REST request e.g.:

headers: {
    'X-WP-Nonce': nonce,
}

Creating the nonce on the server and accessing it on the client can be done several ways. Using wp_localize_script() is the most common and probably best practice for WordPress. wp_localize_script() addds a global variable to the client for a script to access. See https://developer.wordpress.org/reference/functions/wp_localize_script/.

Related Posts:

  1. AJAX call not initializing for non-admins in WordPress
  2. How to get a unique nonce for each Ajax request?
  3. Nonces and Cache
  4. Stop admin-ajax?
  5. Is it safe to assume that a nonce may be validated more than once?
  6. Multiple ajax nonce requests
  7. AJAX request on the frontend always returns 0 if user is not admin
  8. Using Nonces for AJAX that only retrieves data
  9. How to verify nonce from Bulk/Quick Edit in save_post?
  10. How can I get logged in user’s session data from admin-ajax?
  11. How to add WordPress nonces to ajax request
  12. Nonces and Ajax request to REST API and verification
  13. Ajax function returns -1
  14. Serving nonces through AJAX is not refreshing nonce, returning 403 error
  15. wp_verify_nonce always returns false when logged in as admin
  16. ajax and nonce when JavaScript is in a seperate file
  17. wp_verify_nonce doesn’t return true on server when it matches the nonce
  18. How to allow to user non logged in WP system upload in media library?
  19. AJAX requests broken due to HTTPS for wp-admin
  20. Check if username exist with AJAX
  21. Nonces, AJAX, script variables & security in WordPress
  22. Why does WordPress Heartbeat login not refresh the nonces?
  23. wp-admin AJAX with Fetch API is done without user
  24. How do I check if AJAX nonces are implemented correctly?
  25. How to check an ajax nonce in PHP
  26. Can a wp_nonce created from domain 1 to be verified on domain 2?
  27. Force redirect not logged in user to (wp-login.php or wp-admin) for specific page
  28. how to send Ajax request in wordpress backend
  29. Identical wp_rest nonce returned from rest_api
  30. WP Admin AJAX Security – using POST to include a relative URL
  31. wp_create_nonce() in REST API makes user->ID zero
  32. ajax nonce verification failing
  33. Plugin: AJAX query external API to sync to tables
  34. SSO autologin WordPress + Ajax
  35. Nonce fails on ajax save
  36. Ajax Request for both logged and non logged users
  37. Unable to successfully verify nonce
  38. Cache plugins and ajax nonce verification
  39. Nonce doesn’t validate in nopriv call
  40. Why does check_ajax_referer give a 403 error on https websites?
  41. javascript ajax and nonce
  42. How to check nonce lifetime value of plugins?
  43. Using nonce when loading posts with AJAX
  44. admin-ajax.php returns 0 even when the post status code is 200 OK
  45. Should wordpress nonce be placed in html form or in javascript file
  46. Add Server Side validation in Ajax mail form
  47. Can I use application/json content type in WordPress
  48. wp_verify_nonce not working on the mobile device
  49. How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?
  50. AJAX form not working, still reloads on submit
  51. Ajax Security regarding user priviliges and nonces
  52. How to use nonces for frontend AJAX voting if the page gets cached?
  53. admin ajax is not working for non logged in users
  54. WordPress wp_localize_script nonce and ajax URL
  55. How to save dismissable notice state in WP 4.2?
  56. SSL breaks customizer: page isn’t returned from ajax
  57. wp_ajax_[service] returning 0
  58. Trying to load content of a post via AJAX
  59. Insert Post using Ajax
  60. Problems with creating sortable sections in customizer
  61. Filter WP user acf field by ajax
  62. Ajax Request not coming back to class
  63. Ajax requests with different WordPress Address and Site Address setup
  64. query vars in url work but not in ajax call
  65. is_home doesn’t affect content
  66. How to declare a JS variable in an AJAX call
  67. is_page() conditional not working inside an AJAX function
  68. jQuery Ajax passing empty parameters to my function?
  69. admin-ajax.php slow website, how to fix
  70. admin-ajax.php ” Missing argument 2″ warning
  71. Update get_pages using ajax on form select change
  72. How to create an ajax endpoint without js?
  73. Making an ajax request from a different domain
  74. Pagination Using ajax
  75. wp_ajax_ works fine but wp_ajax_nopriv_ returns HTML and not calling function
  76. Why is wp_localize_script returning false?
  77. WordPress Password security related questions
  78. Customizing Users in Admin Area
  79. WordPress – admin-ajax.php returns 502 Bad Gateway [closed]
  80. post values to custom post type which has advanced custom fields
  81. How to continuously send feedback via AJAX responses to my client?
  82. Storing temporary data for a custom post type
  83. I get a 0 after the result of my ajax requests
  84. Not getting an ajax readystatechange on my page
  85. Add ajax to plugin in admin area
  86. Search live Ajax
  87. Ajax login fails: script sets cookies, but is_user_logged_in() returns false
  88. Using wp_send_json_success instead of $result[‘message’], die, etc
  89. Ajax call on class returns old data
  90. how to enable ajax on submitting of contact form 7?
  91. delete post meta data in array WordPress
  92. Error while submitting form using AJAX and php
  93. How to fetch meta_value and meta_key in matrix after ajax request by post_id
  94. register_setting and AJAX?
  95. ajax response is 0 instead of ‘script’ [duplicate]
  96. A refreshless WordPress website
  97. Dynamic dependent select box getting null value
  98. get_template_part() does not render after the ajax request
  99. Placing ajax actions in different class
  100. How to update my jquery/PHP function to add/remove user as favorites in (WordPress) users list