WordPress REST API Key Authentication Method



WordPress REST API key Authentication method involves the REST APIs access on validation against the API key(token). Each time a request to access the API will be made, the authentication will be done against the key(token), and on the basis of the verification of the API key(token), the resources for that API request will be allowed to access.

Download And Installation

  • Log into your WordPress instance as an admin.
  • Go to the WordPress Dashboard -> Plugins and click on Add New.
  • Search for a WordPress REST API Authentication plugin and click on Install Now.
  • Once installed click on Activate.

Use Case: Protect/secure WordPress REST API Endpoints access via Bearer key/token without involving user credentials.


    WordPress REST API Authentication key method

    1. If you want to protect your WordPress REST API Endpoints (eg. post, pages, and other REST APIs) from unauthenticated users but you don’t want to share users login credentials or client id, secret to authenticate the REST API, then you can use API Key authentication, which will generate a random authentication key for you. Using this key, you can authenticate any WordPress REST API on your site.

    2. Suppose you have one Android/IOS Blog Application and you have already posted all your blogs on WordPress. Now you can get all the posts/blogs from the WordPress REST APIs but it is publicly accessible. So, whenever you want to protect your GET requests from public users you should use API Key Authentication Method.


Related Use case: Authentication of WordPress REST API endpoints for fetching WordPress posts/pages and other data.

Step 1: Setup WordPress REST API Authentication plugin

  • Select REST API Authentication method →API Key and click on Save Configuration.
  • WordPress REST API Authentication key method
  • Once you save the configuration, under the Universal API key section you will get the option to Generate New Token. Click on Generate New Token button. This token will expire when you generate a new token.
  • Once you generate the API Key(token), you can use it to secure your WordPress REST APIs endpoints. You need to pass it to the header while making the REST API request as shown in the step below.
  • Users who have this token can access the REST API as shown below.
  • Request: GET https://<domain-name>/wp-json/wp/v2/posts
    Header: Authorization : Bearer <token> 
    Sample request: GET https://<domain-name>/wp-json/wp/v2/posts
    Header: Authorization : Bearer kGUfhhzXZuWisofgnkAsuHGDyfw7gfhg5s
    
  • Check out the developer documentation for more details.

Postman Samples:

    Follow the steps below to make REST API request using Postman:

  • Click on the Postman Samples tab in the plugin.
  • WordPress REST API Authentication key method postman implementation
  • Download the sample request format file for Postman. A JSON file will be auto downloaded.
  • WordPress REST API Authentication key method postman JSON file
  • Import the downloaded JSON file into the Postman Application as shown below.
  • WordPress REST API Authentication key method postman import JSON file
  • Once you import the JSON file, click on the REST API request under the Collections as shown in the last figure. Now replace the <wp_base_url> with your Wordpress domain in the http://<wp_base_url>/wp-json/wp/v2/posts and replace the API <token-value> in the header with the token value as generated in the plugin.
  • WordPress REST API Authentication key method postman replace base url

Feature Description

    1. Role Based REST API restriction:

    This feature allows restricting the REST API access based on the user roles. You can whitelist the roles for which you want to allow access to the requested resource for the REST APIs. So whenever a REST API request is made by a user, his role will be fetched and only allowed to access the resource if his role is whitelisted.


    How to configure it?

    • First, go to the plugin ‘Advanced Settings’ tab.
    • Then, in the Role based Restriction section, all the roles by default will be allowed to access the APIs. You can enable the checkbox of the roles for which you want to restrict access.
    • WordPress REST API Basic Authentication method postman implementation
    • In the above screenshot, the subscriber role checkbox is enabled. So whenever an API request is made by the user with his role as subscriber then that user won’t be allowed to access the requested resource.

    Note: The Role based restriction feature is valid for Basic authentication(Username: password), JWT method, and OAuth 2.0 (Password grant).

    2. Custom Header

    This feature provides an option to choose a custom header rather than the default ‘Authorization’ header.

    It will increase the security as you have the header named with your ‘custom name’, so if someone makes the REST API request with a header as ‘Authorization’ then he won’t be able to access the APIs.


    How to configure it?

    • First, go to the plugin ‘Advanced Settings’ tab.
    • Then in the ‘Custom Header’ section, you can edit the textbox to enter the custom name you want.
    • WordPress REST API Basic Authentication method postman implementation

    3. Exclude REST APIs

    This feature allows you to whitelist your REST APIs so these can be accessed directly without any authentication. Hence all these whitelisted REST APIs are publicly available.


    How to configure it?

    • First, go to the plugin ‘Advanced Settings’ tab.
    • Then in the ‘Exclude REST APIs’, you can enter your APIs in the prescribed format which needs to be whitelisted for public access.
    • WordPress REST API Basic Authentication method postman implementation
    • Example: Suppose if you want to exclude the REST API ‘/wp-json/wp/v2/posts’ then you have to enter ‘/wp/v2/posts’ in the textbox.

    4. Custom Token Expiry

    This feature is applicable for JWT and OAuth 2.0 methods which uses time based tokens to authenticate the WordPress REST API endpoints. This feature allows you to set the custom expiry for the tokens such that the token will no longer be valid once the token expires.


    How to configure it?

    • First, go to the plugin ‘Advanced Settings’ tab.
    • Then in the ‘Token Expiry Configuration’ section, the access token validity and refresh token(used for OAuth 2.0 method) can be altered. By default the access token expiry time is set to 60 minutes and the refresh token expiry time is set to 14 days. Hence with this feature, the expiry can be adjusted accordingly as per the requirements.
    • WordPress REST API Basic Authentication method postman implementation

    Hence, with this custom token expiry feature, the security is increased furthermore.

    5. Enable Advanced Encryption for the tokens using HMAC

    This feature is available with the Basic Authentication method in which by default the token is encrypted using Base64 encoding technique but with the advanced feature, the token can be encrypted with highly secure HMAC encryption which is very secure.

    WordPress REST API Basic Authentication method postman implementation

    6. Signature Validation for JWT based tokens

    This feature allows a secure signing of the JWT signature for the JWT token such that your JWT token is much more secure and the signature can only be decoded using the client secret/certificate. It means your signature is private and can not be seen by others.

    WordPress REST API Basic Authentication method postman implementation

    We provide the support for 2 Signing algorithms: HS256 and RS256.So, any of the signing algorithms can be chosen from the dropdown as shown in the above image.

    Also, you need to add your client secret or certificate from which is used to sign the signature of the JWT.

    7. Create User Specific API key/tokens

    • This feature is available within the API key method in which the tokens can be generated in accordance with the user information rather than a randomly generated token which is a universal key.
    • With the Universal API key/token, the user can not have permission to certain WordPress REST APIs with request method as POST,PUT,DELETE like creating users, posts, pages etc, in which a particular user permissions/role is required to perform operations via use of the REST API request as the universal key is randomly generated and does not contain the user based description.
    • So this User based API key/token feature allows the user to access the REST APIs with request method as POST,PUT,DELETE in WordPress which requires user credentials or certain roles to perform the operation such that the when the WordPress REST API request is made with the user-based key then the role of the user is obtained and he will be allowed to access the API only if he has permission to do so.
    • For Example: Only users with administrator and editor roles have permissions to create/edit/delete a post.
    • So, if a request is made to this API to create/delete/edit the post, the API response will result in “You are not allowed to perform this operation”.
    • Now, if a request is made with the user-based token generated for the user that has administrator or editor role then only they have access to this API and are able to perform the operation(create/update/delete) via the API call.
    • How to use this feature:

    • Select the user from the dropdown and click on the Create API Key button.
    • WordPress REST API Basic Authentication method postman implementation
    • A pop up will appear on the screen, you just need to click on the OK button to copy the token.
    • WordPress REST API Basic Authentication method postman implementation
    • Now this token can be used with the API request just like the universal key is used to make the API request.

Need Help?

Mail us on oauthsupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.


Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com