WP REST API Require Password for GET Endpoint

When we register a rest route with register_rest_route(), then we can use the permission_callback parameter with the kind of permission we want.

Check for example how WP_REST_Posts_Controller::register_routes() and WP_REST_Users_Controller::register_routes() implement the permission callback.

The password argument you’re referring to is the content’s password, that you can set for each post and that’s not the same.

But since you want to target existing routes, like:

/wp/v2/cards
/wp/v2/cards/(?P<id>[\d]+)
/wp/v2/cards/...possibly some other patterns...

you could try e.g. the rest_dispatch_request filter to setup your additional permission check for those kind of routes.

Here’s a demo plugin:

add_filter( 'rest_dispatch_request', function( $dispatch_result, $request, $route, $hndlr )
{
    $target_base="/wp/v2/cards";    // Edit to your needs

    $pattern1 = untrailingslashit( $target_base ); // e.g. /wp/v2/cards
    $pattern2 = trailingslashit( $target_base );   // e.g. /wp/v2/cards/

    // Target only /wp/v2/cards and /wp/v2/cards/*
    if( $pattern1 !== $route && $pattern2 !== substr( $route, 0, strlen( $pattern2 ) ) )
        return $dispatch_result;

    // Additional permission check
    if( is_user_logged_in() )  // or e.g. current_user_can( 'manage_options' )
        return $dispatch_result;

    // Target GET method
    if( WP_REST_Server::READABLE !== $request->get_method() ) 
        return $dispatch_result;

    return new \WP_Error( 
        'rest_forbidden', 
        esc_html__( 'Sorry, you are not allowed to do that.', 'wpse' ), 
        [ 'status' => 403 ] 
    );

}, 10, 4 );

where we target the /wp/v2/cards and /wp/v2/cards/* GET routes, with additional user permission checks.

When debugging it with the WordPress cookie authentication, we can e.g. test it directly with:

https://example.tld/wp-json/wp/v2/cards?_wpnonce=9467a0bf9c

where the nonce part has been generated from wp_create_nonce( 'wp_rest' );

Hope this helps!

Related Posts:

  1. How to use WP-REST API to login user and get user data for Android app?
  2. Getting user meta data from WP REST API
  3. WP REST API V2 – Retrieve sub page by full slug (URL/Path)
  4. Increase per_page limit in REST API
  5. How to use the WP REST API for new user registration (sign up form)?
  6. Can I authenticate with both WooCommerce consumer key and JWT?
  7. Can’t send emails through REST API
  8. WP REST API: check if user is logged in
  9. How to login to WordPress site using basic authentication HTTP headers?
  10. Adding post fields in wp-json/wp/v2/search
  11. Unable to get the info of the user which doesn’t have created any post via REST API
  12. WordPress Gutenberg get page template value when post updated?
  13. WP Rest API convert permalink to post ID for fetch
  14. Can’t GET draft posts via REST API from headless frontend
  15. How to update custom meta fields with rest api?
  16. Formating content rendered from wordpress REST API as JSON and not HTML
  17. apiFetch security
  18. Rest API and Custom Fields
  19. How to filter users on custom meta fields in WP JSON v2?
  20. How can I return an image from a custom REST API endpoint?
  21. WordPress REST API, Expired Nonce from Cache results in 403 forbidden
  22. WP Rest API: Get User by Email
  23. Gutenberg Custom Block Getting All Posts
  24. Check Password Strength using WordPress API
  25. Send request to WordPress REST API
  26. Request to REST endpoint works fine in browser and curl, but fails from WP_REST_Request
  27. Can we assume that /wp-json/ will always be /wp-json/ under any circumstances when creating custom REST routes?
  28. WP REST api.wordpress.org discovery
  29. Rest API in integration tests – filtering by slug not working?
  30. Passing a borrowed nonce through Postman fails
  31. How to hook into “register_rest_field” to modify the behavior of a custom field?
  32. How do you format the set_body option for WP_Rest_Request?
  33. Get all PDF files from page with WordPress API
  34. current_user_can(‘administrator’) returns false when I’m logged in
  35. How to add / embed an author into REST data from a custom post type?
  36. featured image not found in json from wp rest api
  37. How to enable the view of revisions of post in WordPress Api for custom post type?
  38. Problem on creating custom endpoints for REST
  39. New user signup via REST API
  40. is it possible to filter a rest api endpoint by using a registered rest field?
  41. Ho to style post content for WordPress API?
  42. rendering view in backbone
  43. Update a post based on results from GET request to another server
  44. WP REST API can’t set post tags
  45. Manipulating/view postmeta remotely
  46. WP API post__not_in is not working
  47. Check authentication credentials using WP REST API
  48. WordPress REST API V2: how to get list of all posts?
  49. Getting 401 from ajax using an application password
  50. How to connect android app with WordPress website?
  51. WordPress REST API calls that depend on the WordPress User
  52. Sidebar endpoint using WordPress API
  53. How to get data from /wp-json/wp/v2/users/me
  54. Get custom posts in gutenberg block
  55. WordPress REST API parameters are not affecting a response
  56. Getting 401 (access denied) when trying to use the REST API
  57. Update meta_value in wp_postmeta using API
  58. WordPress plugin with CORS
  59. WordPress REST API not working on localhost
  60. /wp-json/wp/v2/posts/?app=3 is returning random scripts tags
  61. User following system via REST API
  62. REST API – Allow /users endpoint depending on a custom capability
  63. “Error: cURL error 60: SSL certificate problem: certificate has expired” when create product in WooCommerce via REST API
  64. 403 Error When Fetching Data from the Settings Rest Route for Non-Admin Users
  65. How to use WordPress REST api to login a user?
  66. REST API post times out when content is too large
  67. Can I overwrite default WordPress Json API For no more pages text
  68. Secure WordPress API, how?
  69. Create User with Profile and Cover Images using REST API
  70. Wrong encoding of dynamic block properties problem when loggen in as editor
  71. Media gallery images url instead of ID on WP API
  72. What’s the right way to validate JSON data coming from an AJAX POST request?
  73. Remove unwanted fields from WP API response
  74. Need wp rest api for featured video post
  75. WordPress and React how to integrate? [closed]
  76. WordPress API “code”:”rest_no_route” with Custom Route
  77. WordPress Update Role using API Cross site
  78. Rest API. Post content
  79. REST api header link href
  80. Error rest_post_invalid_page_number trying to call Rest API
  81. WordPress & React Native
  82. Is it possible to combine two rest endpoints in the url?
  83. update meta data (like view counter) by rest-api
  84. Rest API hook ‘rest_insert_post’ not returning request object
  85. How Can I keep password protected posts in the json requests but not on frontend queries?
  86. How to use WordPress rest API with Angularjs 4 [closed]
  87. Retrieve posts by page in wp rest api
  88. Where is the HTML content for my post in the API
  89. How to change WordPress api v2
  90. REST API Integration without user account?
  91. WP_REST_Request::get_json_params() Parsing null as Zero
  92. WP REST API with Basic Auth at target website
  93. API request forbidden when requesting from same domain
  94. Custom WP Rest API Endpoints from JSON Schema
  95. Script tag in string in wordpress rest api body to create post
  96. Securing REST API wp-json/wp/v2/users endpoint
  97. Customizer Changeset, Sidebar and Rest API Custom Endpoints
  98. WordPress REST API won’t allow me to filter by author ID when called internally, works externally in Postman
  99. Rest API is running, but /wp-json/wp/v2/ shows only old dates
  100. Rest Api Error ‘ Error: {‘code’: ‘rest_no_route’, ‘message’: ‘No route was found matching the URL and request method.’, ‘data’: {‘status’: 404}}@ [closed]

Leave a Comment