WordPress REST API, Expired Nonce from Cache results in 403 forbidden

Based on the authentication documentation here – a nonce key needs to be passed with each request.

So if the nonce key is being cached on the frontend beyond its lifespan, you will need to hook into the API request before the authentication step and replace the cached nonce key with a valid one.

WordPress provides a rest_send_nocache_headers filter for us to hook into (See here). This lets us perform an action before the authentication.

$send_no_cache_headers = apply_filters('rest_send_nocache_headers', is_user_logged_in());
if (!$send_no_cache_headers && !is_admin() && $_SERVER['REQUEST_METHOD'] == 'GET') {
    $nonce = wp_create_nonce('wp_rest');
    $_SERVER['HTTP_X_WP_NONCE'] = $nonce;
}

In the above example, we hook into the filter passing the is_user_logged_in() function as the parameter. This will return true or false.

Then in our query, if the user is not logged in, they are not in the admin and, this is a GET request we proceed with switching the invalid nonce key with a valid one.

tech