0
0
WordpressHow-ToBeginner · 4 min read

How to Authenticate with REST API in WordPress: Simple Guide

To authenticate with the WordPress REST API, use Basic Authentication with application passwords, Cookie Authentication for logged-in users, or OAuth plugins for advanced needs. Application passwords are easiest for external apps, while cookie auth works well inside WordPress themes or plugins.
📐

Syntax

Authentication with the WordPress REST API typically involves sending credentials in the request headers or cookies. Here are common methods:

  • Basic Authentication: Send username and application password encoded in the Authorization header.
  • Cookie Authentication: Use WordPress login cookies automatically sent by the browser for logged-in users.
  • OAuth Authentication: Use OAuth tokens via plugins for secure third-party access.

Basic Authentication header format:

Authorization: Basic base64_encode('username:application_password')
http
Authorization: Basic base64_encode('username:application_password')
💻

Example

This example shows how to authenticate using Basic Authentication with an application password to get the current user's info from the REST API.

javascript
const username = 'your_username';
const appPassword = 'your_application_password';
const credentials = btoa(`${username}:${appPassword}`);

fetch('https://yourwordpresssite.com/wp-json/wp/v2/users/me', {
  headers: {
    'Authorization': `Basic ${credentials}`
  }
})
.then(response => {
  if (!response.ok) throw new Error('Authentication failed');
  return response.json();
})
.then(data => console.log('User info:', data))
.catch(error => console.error('Error:', error.message));
Output
User info: { id: 1, name: "Admin", ... }
⚠️

Common Pitfalls

  • Not enabling application passwords or Basic Auth plugin on your WordPress site.
  • Using plain passwords instead of application passwords, which are safer and recommended.
  • Forgetting to use HTTPS, which is required to keep credentials secure.
  • Trying to authenticate with REST API endpoints that require higher permissions without proper user roles.
  • Not sending the Authorization header correctly formatted.
javascript
/* Wrong way: sending plain password without encoding */
fetch('https://yourwordpresssite.com/wp-json/wp/v2/users/me', {
  headers: {
    'Authorization': 'Basic your_username:your_password'
  }
});

/* Right way: encode username and application password in base64 */
const credentials = btoa('your_username:your_application_password');
fetch('https://yourwordpresssite.com/wp-json/wp/v2/users/me', {
  headers: {
    'Authorization': `Basic ${credentials}`
  }
});
📊

Quick Reference

  • Basic Auth: Use application passwords, send Authorization: Basic base64(username:password).
  • Cookie Auth: For logged-in users, browser sends cookies automatically.
  • OAuth: Use plugins for token-based authentication.
  • Always use HTTPS to protect credentials.

Key Takeaways

Use application passwords with Basic Authentication for easy and secure REST API access.
Cookie Authentication works only for logged-in users within WordPress context.
Always send authentication headers correctly and use HTTPS to protect credentials.
Enable necessary plugins or WordPress features to support your chosen authentication method.
Check user roles and permissions to avoid authorization errors.

Related by keyword

How to Use Settings API in WordPress: Simple GuideSettings and OptionsWordPress.com vs WordPress.org: Key Differences and When to Use EachGetting StartedHow to Use Customizer in WordPress: Simple GuideThemesHow to Add Excerpt in WordPress: Simple GuidePosts and PagesHow to Use Featured Image in WordPress: Simple GuidePosts and Pages

Up next

How to Use Reusable Blocks in WordPress: Simple GuideWhat is Gutenberg in WordPress: Overview and UsageHow to Create a Custom Loop in WordPress EasilyHow to Paginate WP_Query Results in WordPress Easily

More in WordPress REST API

Create Custom REST API Endpoint in WordPress EasilyHow to Create a Post Using REST API in WordPressHow to Get Posts Using REST API in WordPressHow to Use register_rest_route in WordPress for Custom REST API Endpoints