Search Results :
×This method of WordPress REST API endpoints authentication involves the WordPress REST APIs access on validation against the API token generated based on the user’s username, password or on the basis of client credentials. Each time a request to access the WordPress REST API endpoint will be made, the authentication will be done against that token, and on the basis of the verification of the API token, the resources for that API request will be allowed to access. The token will be encrypted hence the security is not compromised.
1. By User credentials:
Suppose you have one Android/IOS Blog Application and you have given capabilities to your users to post their personal feeds or blogs using mobile applications. In this case, your mobile application requests should be authenticated. WordPress Basic Authentication REST API with username and password method is appropriate for this situation where your user credentials will be in the Authorization Header. The user session will be created and on the basis of that user WordPress capabilities, he/she will be allowed to access the REST API content or perform the desired operations. WordPress Basic Authentication with username and password is the most common authentication method and this method will be helpful in case you want to perform WordPress operations via REST APIs which involve user permissions or capabilities.
2. By Client credentials:
Suppose you have one Android/IOS Blog Application and you want to access the WordPress content using its REST API endpoints but do not want to involve the WP user credentials as it may have a chance for exposing and allowing the intruder to access the WP site using those credentials. In that case, you should use WordPress Basic Authentication with a client ID and client secret where your WP user credentials are also safe, and at each request, you just need to pass the Client ID and Client Secret provided by the plugin. Hence security is not a concern. The Client ID and Secret are in fact passed in encrypted format in the Basic Authorization header of each API request, these are validated and on successful validation WP API Basic Auth will allow these APIs to access.
REST API Basic Auth using UserName & Password :
REST API Basic Auth using Client ID and Client Secret :
Request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization: Basic base64encoded <client-id:client-secret>
Sample Request Format-
Example => Client ID : pSYQsKqTndNVpNKcnoZd and Client Secret : SrYPTViHdCbvkWyTfWrSltavTMeJjaOHCye
Sample curl Request Format-
curl -H "Authorization:Basic base64encoded <clientid:clientsecret>"
-X POST http://<wp_base_url>/wp-json/wp/v2/users
-d"username=test&email=test@test.com&password=test&name=test"
base64_encode(‘pSYQsKqTndNVpNKcnoZd:SrYPTViHdCbvkWyTfWrSltavTMeJjaOHCye’) will results into
‘cFNZUXNLcV RuZE5WcE5LY25vWmQ6U3JZUFRWaUhkQ2J2a1d5VGZXclNsdGF2VE1lSmphT0hDeWU=’ as output.
Sample request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization :Basic eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RVFNLZw==
REST API Basic Auth using UserName & Password :
Request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization: Basic base64encoded <username:password>
Sample Request Format-
Example => username : testuser and password : password@123
Sample curl Request Format-
curl -H "Authorization:Basic base64encoded <username:password>"
-X POST http://<wp_base_url>/wp-json/wp/v2/posts -d "title=sample post&status=publish"
base64_encode(‘testuser:password@123’) will results into ‘eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RV FNLZw==’ as output.
Sample request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization : Basic eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RVFNLZw==
var client = new RestClient("http://<wp_base_url>/wp-json/wp/v2/posts ");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AlwaysMultipartFormData = true;
request.AddParameter("title", "Sample Post");
request.AddParameter("status", "publish");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
OkHttpClient client = new OkHttpClient().newBuilder().build();
MediaType mediaType = MediaType.parse("text/plain");
RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)
.addFormDataPart("title","Sample Post")
.addFormDataPart("status", "publish")
.build();
Request request = new Request.Builder()
.url("http://<wp_base_url>/wp-json/wp/v2/posts ")
.method("POST", body)
.build();
Response responseclient.newCall(request).execute();
var form = new FormData();
form.append("title","Sample Post");
form.append("status", "publish");
var settings = {
"url": "http://<wp_base_url>/wp-json/wp/v2/posts ",
"method": "POST",
"timeout": 0,
"processData": false,
"mimeType": "multipart/form-data",
"contentType": false,
"data": form
};
$.ajax(settings).done(function (response) {
console.log(response);
});
<?php
$curl = curl_init();
curl_setopt_array($curl, array
(
CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/wp/v2/posts%20',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => array('title' => 'Sample Post','status' => 'publish'),
));
$response = curl_exec($curl);
curl_close($curl);
echo $response;
import http.client
import mimetypes
from codecs import encode
conn = http.client.HTTPSConnection("<wp_base_url>")
dataList= []
boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
dataList.append(encode('--' + boundary))
dataList.append(encode('Content-Disposition: form-data; name=title;'))
dataList.append(encode('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("Sample Post"))
dataList.append(encode('--' + boundary))
dataList.append(encode('Content-Disposition: form-data; name=status;'))
dataList.append('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("publish"))
dataList.append(encode('--'+boundary+'--'))
dataList.append(encode(''))
body = b'\r\n'.join(dataList)
payload= body
headers = {
'Content-type': 'multipart/form-data; boundary={}'.format(boundary)
}
conn.request("POST", "/wp-json/wp/v2/posts ", payload, headers)
res= conn.getresponse()
data = res.read()
print (data.decode("utf-8"))
var client = new RestClient("http://<wp_base_url>/wp-json/wp/v2/posts ");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "Basic base64encoded < clientid:clientsecret > ");
request.AlwaysMultipartFormData = true;
request.AddParameter("username", "test");
request.AddParameter("email", "test@test.com");
request.AddParameter("password", "test");
request.AddParameter("name", "test");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
OkHttpClient client = new OkHttpClient().newBuilder().build();
MediaType mediaType = MediaType.parse("text/plain");
RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)
.addFormDataPart("username","test")
.addFormDataPart("email","test@test.com")
.addFormDataPart("password","test")
.addFormDataPart("name","test")
.build();
Request request = new Request.Builder()
.url("http://<wp_base_url>/wp-json/wp/v2/posts ")
.method("POST", body)
.addHeader ("Authorization", "Basic base64encoded < clientid:clientsecret > ")
.build();
Response responseclient.newCall(request).execute();
var form = new FormData();
form.append("username", "test");
form.append("email", "test@test.com");
form.append("password", "test");
form.append("name", "test");
var settings = {
"url": "http://<wp_base_url>/wp-json/wp/v2/posts ",
"method": "POST",
"timeout": 0,
"headers": {
"Authorization": "Basic base64encoded < clientid:clientsecret > "
},
"processData": false,
"mimeType": "multipart/form-data",
"contentType": false,
"data": form
};
$.ajax(settings).done(function (response) {
console.log(response);
});
<?php
$curl = curl_init();
curl_setopt_array($curl, array
(
CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/wp/v2/users',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => array('username' => 'test','email' => 'test@test.com','password' => 'test','name' => 'test'),
CURLOPT_HTTPHEADER => array(
'Authorization: Basic base64encoded < clientid:clientsecret > '
),
))
$response = curl_exec($curl);
curl_close($curl);
echo $response;
import http.client
import mimetypes
from codecs import encode
conn = http.client.HTTPSConnection("<wp_base_url>")
dataList= []
boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
dataList.append(encode('--' + boundary))
dataList.append(encode('Content-Disposition: form-data; name=username;'))
dataList.append(encode('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("test"))
dataList.append(encode('--' + boundary))
dataList.append(encode('Content-Disposition: form-data; name=email;'))
dataList.append('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("test@test.com"))
dataList.append(encode('--'+ boundary))
dataList.append(encode('Content-Disposition: form-data; name=password;'))
dataList.append(encode('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("test"))
dataList.append(encode('--' + boundary))
dataList.append(encode('Content-Disposition: form-data; name=name;'))
dataList.append(encode('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("test"))
dataList.append(encode('--'+boundary+'--'))
dataList.append(encode(''))
body = b'\r\n'.join(dataList)
payload= body
headers = {
'Authorization': 'Basic base64encoded < clientid:clientsecret > ',
'Content-type': 'multipart/form-data; boundary={}'.format(boundary)
}
conn.request("POST", "/wp-json/wp/v2/posts ", payload, headers)
res= conn.getresponse()
data = res.read()
print (data.decode("utf-8"))
Follow the steps below to make REST API request using Postman:
a) For Username-Password
Example:
For Username: testuser and password: password@123 the base64 encoded value will be ‘dGVzdHVzZXI6cGFzc3dvcmRAMTIz’
b) For Client ID and Client Secret
This feature allows restricting the REST API access based on the user roles. You can whitelist the roles for which you want to allow access to the requested resource for the REST APIs. So whenever a REST API request is made by a user, his role will be fetched and only allowed to access the resource if his role is whitelisted.
How to configure it?
Note: The Role based restriction feature is valid for Basic authentication(Username: password), JWT method, and OAuth 2.0 (Password grant).
This feature provides an option to choose a custom header rather than the default ‘Authorization’ header.
It will increase the security as you have the header named with your ‘custom name’, so if someone makes the REST API request with a header as ‘Authorization’ then he won’t be able to access the APIs.
How to configure it?
This feature allows you to whitelist your REST APIs so these can be accessed directly without any authentication. Hence all these whitelisted REST APIs are publicly available.
How to configure it?
This feature is available with the Basic Authentication method in which by default the token is encrypted using Base64 encoding technique but with the advanced feature, the token can be encrypted with highly secure HMAC encryption which is
very secure.
Mail us on oauthsupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.
Need Help? We are right here!
Thanks for your inquiry.
If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com
This privacy statement applies to miniorange websites describing how we handle the personal information. When you visit any website, it may store or retrieve the information on your browser, mostly in the form of the cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not directly identify you, but it can give you a more personalized web experience. Click on the category headings to check how we handle the cookies. For the privacy statement of our solutions you can refer to the privacy policy.
Necessary cookies help make a website fully usable by enabling the basic functions like site navigation, logging in, filling forms, etc. The cookies used for the functionality do not store any personal identifiable information. However, some parts of the website will not work properly without the cookies.
These cookies only collect aggregated information about the traffic of the website including - visitors, sources, page clicks and views, etc. This allows us to know more about our most and least popular pages along with users' interaction on the actionable elements and hence letting us improve the performance of our website as well as our services.