Wordpressframework~30 mins

Authentication for API in Wordpress - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Authentication for API in WordPress

📖 Scenario: You are building a WordPress site that offers a custom API endpoint. To protect this API, you need to add authentication so only authorized users can access it.

🎯 Goal: Build a simple authentication mechanism for a WordPress REST API endpoint using a custom API key.

📋 What You'll Learn

Create a PHP array to store valid API keys

Add a variable to hold the current request's API key

Write a function to check if the API key is valid

💡 Why This Matters

🌍 Real World

Many WordPress sites offer custom APIs for mobile apps or integrations. Securing these APIs with authentication prevents unauthorized access and protects data.

💼 Career

Understanding how to add authentication to WordPress REST APIs is important for backend developers, WordPress plugin developers, and anyone building secure web services.

Progress0 / 4 steps

DATA SETUP: Create API keys array

Create a PHP array called $valid_api_keys with these exact string values: 'key123', 'key456', and 'key789'.

Wordpress

<?php

// Create the array of valid API keys
// Your code here

Need a hint?

Use a PHP array with the exact variable name $valid_api_keys and the exact keys listed.

CONFIGURATION: Get API key from request headers

Add a variable called $api_key that gets the value of the 'X-API-KEY' header from the current request using getallheaders().

Wordpress

<?php
$valid_api_keys = ['key123', 'key456', 'key789'];

// Get the API key from request headers
// Your code here

Need a hint?

Use getallheaders() to get headers, then access 'X-API-KEY' safely with the null coalescing operator.

CORE LOGIC: Create authentication check function

Write a function called is_api_key_valid that takes $key as a parameter and returns true if $key is in the $valid_api_keys array, otherwise false.

Wordpress

<?php
$valid_api_keys = ['key123', 'key456', 'key789'];

$headers = getallheaders();
$api_key = $headers['X-API-KEY'] ?? '';

// Define the function to check API key validity
// Your code here

Need a hint?

Use in_array with strict checking to verify the key is valid.

COMPLETION: Register REST API route with authentication

Use register_rest_route to create a route '/custom/v1/data' that accepts GET requests. Add a permission_callback that calls is_api_key_valid($api_key) to allow access only if the API key is valid.

Wordpress

<?php
$valid_api_keys = ['key123', 'key456', 'key789'];

$headers = getallheaders();
$api_key = $headers['X-API-KEY'] ?? '';

function is_api_key_valid($key) {
    global $valid_api_keys;
    return in_array($key, $valid_api_keys, true);
}

// Register the REST API route with permission callback
// Your code here

Need a hint?

Use add_action('rest_api_init', ...) to register the route and add the permission callback that calls is_api_key_valid.