WordPress REST API, Expired Nonce from Cache results in 403 forbidden

Based on the authentication documentation here – a nonce key needs to be passed with each request.

So if the nonce key is being cached on the frontend beyond its lifespan, you will need to hook into the API request before the authentication step and replace the cached nonce key with a valid one.

WordPress provides a rest_send_nocache_headers filter for us to hook into (See here). This lets us perform an action before the authentication.

$send_no_cache_headers = apply_filters('rest_send_nocache_headers', is_user_logged_in());
if (!$send_no_cache_headers && !is_admin() && $_SERVER['REQUEST_METHOD'] == 'GET') {
    $nonce = wp_create_nonce('wp_rest');
    $_SERVER['HTTP_X_WP_NONCE'] = $nonce;
}

In the above example, we hook into the filter passing the is_user_logged_in() function as the parameter. This will return true or false.

Then in our query, if the user is not logged in, they are not in the admin and, this is a GET request we proceed with switching the invalid nonce key with a valid one.

Related Posts:

  1. Full page NGINX (or Cloudflare) caching and WordPress nonces
  2. Rest API nonce is being cached
  3. WP REST API: check if user is logged in
  4. Can’t GET draft posts via REST API from headless frontend
  5. Passing a borrowed nonce through Postman fails
  6. permission_callback has no effect
  7. WP REST API – Nonce passes wp_verify_nonce even after logout
  8. Rest API: wp_verify_nonce() fails despite receiving correct nonce value
  9. Backbone with custom rest endpoints
  10. Log in user using WordPress REST API
  11. wp_nonce vs jwt
  12. Register rest field authentication with REST API
  13. How to cache WordPress oembed links in the page header?
  14. Does something like is_rest() exist
  15. WP REST API — How to change HTTP Response status code?
  16. wp_get_current_user() function not working in Rest API callback function
  17. WP REST API Is it rather easy to rename the default wp-json uri part?
  18. Search WP API using the post title
  19. Understanding SHORTINIT with WordPress 5
  20. How do I create a user using the new JSON api in 4.7?
  21. wordpress wp-json prefix issue
  22. Is it possible to nest the JSON result of WordPress REST API?
  23. Reduce nonce lifespan
  24. Filter post_content before loading in Gutenberg editor
  25. rest_post_query on multiple post types?
  26. Wp Rest Api Custom Endpoint for page subpages
  27. WP REST API returns incorrect data?
  28. WordPress Rest API response
  29. WP 5.5 Fatal Error – get_rest_controller() in rest-api.php
  30. REST API GET users
  31. Display post title from WordPress excluding a string via API
  32. How send get request to external api with username and password
  33. WP_REMOTE_POST Requests are being blocked by API provider [closed]
  34. wp_get_object_terms() returns invalid taxonomy inside rest_api_init hook
  35. Authenticating with REST API
  36. Make authorization mandatory on custom routes
  37. WP Rest API – How to convert embedded to json object in Java [closed]
  38. Why the Path is different with the one coded in rest
  39. WP REST API plugin 500 errors?
  40. How to receive data by http POST request
  41. WP API querying a custom post type and a custom field
  42. Custom endpoint to get all custom taxonomy terms
  43. how to avoid timeouts with remote API requests?
  44. rest_api_init is run on every rest call to endpoint
  45. Are nonces in WP REST API optional by default?
  46. WP-REST create user with custom meta
  47. receive a custom parameter with rest api
  48. If I use WordPress REST API V2 and someone makes an app using it. Will my site count the posts views from the APP? And if not, then how?
  49. How to store and return json in a (custom) post meta field
  50. Sorry, you are not allowed to list users
  51. Get a remote post ID via API given URL
  52. Core function to check if a rest namespace exists
  53. Cache plugins and ajax nonce verification
  54. How to change the date and time in REST API for comments?
  55. Rest API V2 custom post type. I only need the title and link
  56. Retriving all users with REST API not working
  57. Is there a way to download only the Rest API part of WordPress?
  58. Register GET REST API route with multiple parameters
  59. Custom WP API endpoint NULL body data
  60. WordPress HTTP API NTLM Authentication
  61. What is an endpoint for custom post type comments in REST API?
  62. How To Bulk Import wp_postmeta records in an API call?
  63. How would I know if my system using REST api or not?
  64. Authenticate rest API except for contact-form-7
  65. How to access wordpress menu & submenu item through the REST API?
  66. How to display relations via wordpress Rest API
  67. How to verify which WordPress user requested the API in ASP .NET Core?
  68. WP Rest_API- Post request for images returns empty
  69. WordPress API fields modification
  70. DELETE request using WP REST API
  71. Fetching WordPress Private Posts, Public Posts Via Default REST API Endpoint
  72. How to deliver webp format of images to WP REST API
  73. WP Rest API in Android studio does not show Images
  74. Got Blank issue for get data from /wp-json/v2/post
  75. How do i POST to WordPress rest API from the same domain?
  76. WP API file_get_contents return TTP request failed! HTTP/1.1 401 Unauthorized
  77. Not able to delete media by REST API
  78. Update membership level via API request if using simple membership plugin
  79. Need to get user data via API
  80. REST API retrieving posts from www.sitename.com/category/news/ instead of just just from www.sitename.com
  81. REST API get featured image source for custom post type
  82. Custom rest API route not passing data along
  83. How to filter wp-json/wp/v2/users response on custom metas?
  84. Paid membership Pro Rest API
  85. Trouble Commenting via the WP REST API using nonces
  86. wp_query json ouput
  87. GET request for media files in WP REST API 2 results in an empty array
  88. Fatal error: Call to undefined function register_rest_route()
  89. Create a new page on front page for logged in user
  90. API wp-json/wp/v2/pages/ returns a different result if page is specified
  91. Getting current core version from an WordPress installation
  92. How to block external access to register_rest_route callback?
  93. Filter output of posts (Rest API)
  94. Does WP REST API cache internally executed (rest_do_request) requests?
  95. WordPress Application Passwords not authorizing
  96. WordPress custom endpoint returns Security violated
  97. custom REST endpoints and application passwords
  98. Hide custom posts from certain taxonomy in rest api
  99. Why are the most recent posts not appearing in a fetch request, unless I’m logged in?
  100. Creating Application Password using REST API results in 401 regardless of JWT token