WordPress REST API Key Authentication Method | Secure REST API
API Key Authentication Method for WordPress REST API endpoints authentication involves the WordPress REST APIs access on validation against the API key (Bearer token). Whenever a request is made to access the REST API endpoints, authentication will be done against the key (Bearer token), and on the basis of the verification of the API key (Bearer token), the resources for that REST API endpoints request will be allowed to access. An API key is an authentication protocol designed to allow developers to generate authentication keys that could be used for resource owners, such as server-side processes, mobile phone applications, and desktop computers. This method makes sure to secure REST API. The API key can be regenerated in case it is compromised such that all the existing generated keys will expire automatically and this newly generated key will be used for WP REST API authentication. Hence, security will not be any concern. If you don’t have a secure REST API, then it’s easy for manipulators to access your system and steal your data.
This document will take you through step by step process to install and setup WordPress REST API Authentication to secure REST API in few minutes.
Download And Installation
- Log into your WordPress instance as an admin.
- Go to the WordPress Dashboard -> Plugins and click on Add New.
- Search for a WordPress REST API Authentication plugin and click on Install Now.
- Once installed click on Activate.
Use Case: Protect/secure WordPress REST API Endpoints access via Bearer key/token without involving user credentials.
1.If you want to protect your WordPress REST API Endpoints (eg. post, pages, or any other REST APIs) from unauthenticated users and you don’t want to share user’s WP login credentials or client id and client secret to authenticate the REST API, then you can use API Key authentication, which will generate a random authentication key for you. Using this key, you can authenticate any WordPress REST API on your site. WordPress REST API Key is the simplest and one of the most popular ways of securing REST API with API Key authentication method. This will make you secure REST API with API key on your website.
2.Suppose you have an Android/ iOS Blog Application and you have already posted all your blogs on WordPress. Now you can get all the posts/ blogs from the WordPress REST APIs but it is publicly accessible. So, whenever you want to protect your GET requests from public users you should use WordPress REST API Key Authentication Method so that your endpoints remain secure.
- The plugin provides 2 kinds of API keys/ security tokens that can be used to authenticate WordPress REST APIs -
I.Universal API Key - The Universal API key will be most suitable to authenticate the WP REST APIs which involve HTTP GET method and which does not require WordPress user capabilities. Please note that this key does not involve user capabilities hence can not be used to access those APIs for which WordPress expects user permissions.
Example - If you just want to use the GET APIs for fetching general WordPress posts, comments etc.
II. User-specific API Key - The user-based API will be the most suitable to authenticate the WP REST APIs which involve any of the HTTP methods like - GET, POST, PUT, DELETE and especially in those cases in which you want to perform operations that involve user capabilities.
Example - If you want to perform any operations like fetching WordPress posts based on user capabilities (their WP roles), users data or want to create new users, new posts etc.
Read Use Cases for the following Rest API Authentication Methods:
1. Setup WordPress API Authentication Plugin [Premium]
- In the plugin, go to the Configure API Authentication tab and click on API Key Authentication as the API Authentication method.
- Once you save the configuration, Under the Universal API key section you will get the option to Generate New Token, click on Generate New Key button. This key/token will expire when you generate a new key/token.
- Once you generate the API Key(token), you can use it to secure your WordPress REST API endpoints. (You can always generate the new API key and all the existing generated keys will be expired automatically). You need to pass it to the Authorization header as a bearer token while making the REST API request as shown in the step below.
- Users who have this token can access the REST API as shown below.
Request: GET https://<domain-name>/wp-json/wp/v2/posts
Header:Authorization: Bearer <token>
Sample request: GET https://<domain-name>/wp-json/wp/v2/posts
Header:Authorization: Bearer kGUfhhzXZuWisofgnkAsuHGDyfw7gfhg5s
Sample curl Request Format-
curl -H "Authorization:Bearer <token-value>"
-X GET http://<wp_base_url>/wp-json/wp/v2/posts
I. Authorization : The HTTP Authorization request header contains the credentials or token type and token value to authenticate a user agent with a server, usually after unsuccessful authentication the server has responded with a 401 Unauthorized status.
II. Bearer <token-value>: The Bearer <token-value> is created by the Authentication server. When a client application request the authentication server then server authenticate that token and give response to client application accordingly.
Code samples in programming languages
var client = new RestClient("http://<wp_base_url>/wp-json/wp/v2/posts ");
client.Timeout = -1;
var request = new RestRequest(Method.GET);
request.AddHeader("Authorization", "Bearer <token-value>");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
OkHttpClient client = new OkHttpClient().newBuilder().build();
Request request = new Request.Builder()
.url("http://<wp_base_url>/wp-json/wp/v2/posts ")
.method("GET", null)
.addHeader = ("Authorization", "Bearer <token-value>")
.build();
Response responseclient.newCall(request).execute();
var settings = {
"url": "http://<wp_base_url>/wp-json/wp/v2/posts ",
"method": "GET",
"timeout": 0,
"headers": {
"Authorization": "Bearer <token-value >"
},
};
$.ajax(settings).done(function (response) {
console.log(response);
});
<?php
$curl = curl_init();
curl_setopt_array($curl, array
(
CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/wp/v2/posts',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'GET',
CURLOPT_HTTPHEADER => array(
'Authorization: Bearer <token-value>'
),
));
$response = curl_exec($curl);
curl_close($curl);
echo $response;
import http.client
conn = http.client.HTTPSConnection("<wp_base_url>")
payload= "
headers = {
'Authorization': 'Bearer <token-value>'
}
conn.request("GET", "/wp-json/wp/v2/posts ", payload, headers)
res= conn.getresponse()
data = res.read()
print (data.decode("utf-8"))
Postman Samples:
- Download the POSTMAN collection export from here.
- Import the downloaded JSON file into the Postman Application as shown below.
- Once you import the JSON file, click on the REST API request under the Collections as shown in the last figure. Now replace the <wp_base_url> with your Wordpress domain in the http://<wp_base_url>/wp-json/wp/v2/posts and replace the API <token-value> in the header with the token value as generated in the plugin.
- Example:
Follow the steps below to make REST API request using Postman:
Feature Description
- First, go to the plugin ‘Advanced Settings’ tab.
- Then, in the Role based Restriction section, all the roles by default will be allowed to access the APIs. You can enable the checkbox of the roles for which you want to restrict access.
- In the above screenshot, the subscriber role checkbox is enabled. So whenever an API request is made by the user with his role as subscriber then that user won’t be allowed to access the requested resource.
- First, go to the plugin ‘Advanced Settings’ tab.
- Then in the ‘Custom Header’ section, you can edit the textbox to enter the custom name you want.
- First, go to the plugin ‘Advanced Settings’ tab.
- Then in the ‘Exclude REST APIs’, you can enter your APIs in the prescribed format which needs to be whitelisted for public access.
-
Example: Suppose if you want to exclude the REST API ‘
/wp-json/wp/v2/posts’ then you have to enter ‘/wp/v2/posts’ in the textbox. - This feature is available within the API key method in which the tokens can be generated in accordance with the user information rather than a randomly generated token which is a universal key.
- With the Universal API key/token, the user can not have permission to certain WordPress REST APIs with request method as POST,PUT,DELETE like creating users, posts, pages etc, in which a particular user permissions/role is required to perform operations via use of the REST API request as the universal key is randomly generated and does not contain the user based description.
- So this User based API key/token feature allows the user to access the REST APIs with request method as POST,PUT,DELETE in WordPress which requires user credentials or certain roles to perform the operation such that the when the WordPress REST API request is made with the user-based key then the role of the user is obtained and he will be allowed to access the API only if he has permission to do so.
- For Example: Only users with administrator and editor roles have permissions to create/edit/delete a post.
- So, if a request is made to this API to create/delete/edit the post, the API response will result in “You are not allowed to perform this operation”.
- Now, if a request is made with the user-based token generated for the user that has administrator or editor role then only they have access to this API and are able to perform the operation(create/update/delete) via the API call.
- Select the user from the dropdown and click on the Create API Key button.
- A pop up will appear on the screen, you just need to click on the OK button to copy the token.
- Now this token can be used with the API request just like the universal key is used to make the API request.
1. Role Based REST API restriction:
This feature allows restricting the REST API access based on the user roles. You can whitelist the roles for which you want to allow access to the requested resource for the REST APIs. So whenever a REST API request is made by a user, his role will be fetched and only allowed to access the resource if his role is whitelisted.
How to configure it?
Note: The Role based restriction feature is valid for Basic authentication(Username: password), JWT method, OAuth 2.0 (Password grant), and API Key Auth(User specific API key).
2. Custom Header
This feature provides an option to choose a custom header rather than the default ‘Authorization’ header.
It will increase the security as you have the header named with your ‘custom name’, so if someone makes the REST API request with a header as ‘Authorization’ then he won’t be able to access the APIs.
How to configure it?
3. Exclude REST APIs
This feature allows you to whitelist your REST APIs so these can be accessed directly without any authentication. Hence all these whitelisted REST APIs are publicly available.
How to configure it?
4. Create User Specific API key/tokens
How to use this feature:
Congratulations! You have successfully configured the WordPress REST API Key Authentication using this guide. Now, your WordPress REST API endpoints are secure and data is protected from unauthorized access.
Need Help?
Mail us on apisupport@xecurify.com for quick guidance (via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.
Need Help? We are right here!
