WP REST API – Nonce passes wp_verify_nonce even after logout

The true reason of not using nonces for non logged in users, is that it adds a pointless burden on their usage as they need to refresh the page when the nonce expire, and the only way they will know that they need to do it is when something do not work.

There is probably no reason to avoid generating it, but if you expect that your “app” will be used/open for more then 12 hours (that is the “tick” time used to calculate wordpress nonces) then either you need to also have an automatic way to refresh the nonce (might be a good idea for logged in users as well) or avoid using it in the first place.

Related Posts:

  1. WP REST API: check if user is logged in
  2. Can’t GET draft posts via REST API from headless frontend
  3. Rest API: wp_verify_nonce() fails despite receiving correct nonce value
  4. Log in user using WordPress REST API
  5. wp_nonce vs jwt
  6. Register rest field authentication with REST API
  7. How to: Make JWT-authenticated requests to the WordPress API
  8. WordPress Rest API: How do we validate with our custom API key?
  9. WordPress REST API call generates nonce twice on every call
  10. How to Authenticate WP REST API with JWT Authentication using Fetch API
  11. authentication issue with rest api – rest_cannot_create
  12. Can I authenticate with both WooCommerce consumer key and JWT?
  13. How to login to WordPress site using basic authentication HTTP headers?
  14. Can we access the REST request parameters from within the permission_callback to enforce a 401 by returning false?
  15. WordPress REST API “rest_authentication_errors” doesn’t work external queries?
  16. Create Session with JWT
  17. Full page NGINX (or Cloudflare) caching and WordPress nonces
  18. WordPress REST API, Expired Nonce from Cache results in 403 forbidden
  19. Passing a borrowed nonce through Postman fails
  20. how to send Ajax request in wordpress backend
  21. permission_callback has no effect
  22. WP REST API GET Requests require authentication
  23. current_user_can(‘administrator’) returns false when I’m logged in
  24. Authenticating with REST API
  25. Make authorization mandatory on custom routes
  26. How to force JWT auth for default GET endpoints of WordPress rest api?
  27. REST API: best place to set current user for JWT auth?
  28. WordPress + REST API v2 and private pages Load by slug
  29. REST API authentication for a plugin
  30. PHP: authenticate for a REST request?
  31. Rest API basic auth not working
  32. Authenticate current user to REST API
  33. Getting 401 from ajax using an application password
  34. How to connect android app with WordPress website?
  35. WordPress REST API calls that depend on the WordPress User
  36. Backbone with custom rest endpoints
  37. WordPress HTTP API NTLM Authentication
  38. Advanced Access Manager: RESTful endpoint to refresh token
  39. Best Authetication between REST API and Mobile App
  40. How to verify which WordPress user requested the API in ASP .NET Core?
  41. Secure WordPress API, how?
  42. register/login api
  43. How can I secure my custom rest api endpoint or add under a already existing rest group
  44. REST API Integration without user account?
  45. WP REST API with Basic Auth at target website
  46. Cant POST with REST API on WordPress
  47. REST API – Authentication/Logon security
  48. Rest API nonce is being cached
  49. custom REST endpoints and application passwords
  50. wordpress rest api authentication failed
  51. How to add additional http header to a wp_error rest response
  52. Nonce validation in REST API
  53. Why is my custom API endpoint not working?
  54. Are there server performance benefits to fetching only specific fields when querying the REST API?
  55. How to define a query parameter with REST API?
  56. How do I correctly setup an AJAX nonce for WordPress REST API?
  57. How do I use the WP REST API plugin and the OAuth Server plugin to allow for registration and login?
  58. Hiding API routes list
  59. rest api authentication
  60. x-wp-nonce is not allowed by Access-Control-Allow-Headers in preflight response
  61. How to get around WP REST API per page limit without pagination?
  62. How to properly add custom entities in Gutenberg
  63. REST API custom endpoint without authentication for POST method?
  64. CORS & Remote access to WP via RestAPI
  65. WP API ignores filter parameter
  66. WordPress doesn’t send a notification email when submitting a comment using REST API
  67. Using WordPress RESTapi to call a php file instead of post or page
  68. WordPress REST API – Modify JSON before importing
  69. pagination in WP rest api
  70. How to use REST API to send user metadata?
  71. Custom Rest API POST endpoint with conditionally required parameters
  72. What is the meta field in the response of the user REST API?
  73. Is there any way to clear cache when making REST API request?
  74. Custom API endpoint to create gallery for post
  75. Register REST route with a multi-value parameter
  76. How do I add meta when creating a post with rest api?
  77. Change permissions on REST api?
  78. WordPress REST API V2: how to get list of all posts?
  79. How to get data from /wp-json/wp/v2/users/me
  80. WordPress REST API parameters are not affecting a response
  81. Update meta_value in wp_postmeta using API
  82. WordPress plugin with CORS
  83. “Error: cURL error 60: SSL certificate problem: certificate has expired” when create product in WooCommerce via REST API
  84. How to use WordPress REST api to login a user?
  85. Need wp rest api for featured video post
  86. REST api header link href
  87. WordPress & React Native
  88. update meta data (like view counter) by rest-api
  89. How Can I keep password protected posts in the json requests but not on frontend queries?
  90. Update post / page using API + python
  91. Social login authentication via wordpress rest api
  92. WordPress json – How to use the content rendered from json
  93. Subscriber role cann’t add comment meta using REST API
  94. WordPress REST API function not calling from external site
  95. Issue with API after 6.2 update
  96. Verify user login and password over api
  97. All wp-json routes suddenly return 404
  98. Get rendered HTML single view from post template
  99. Modify request payload for Core API requests
  100. REST API not Posting Content in Draft Mode