Search Results :

×

WordPress REST API OAuth 2.0 Authentication Method

OAuth 2.0 is one of the most widely used methods for securing access to WordPress REST API endpoints. Unlike traditional methods, OAuth 2.0 allows authorization without exposing a user's email or password to external applications. This authentication flow uses the OAuth 2.0 protocol to generate a secure access token or ID token (JWT token), which is then used to authenticate all API requests. Every time a request is made to a WordPress REST API endpoint, the API verifies the Bearer token to determine whether the requested resources can be accessed. The tokens issued via OAuth 2.0 are highly encrypted and secure, ensuring that sensitive data remains protected. While similar to JWT authentication, OAuth 2.0 provides enhanced security and additional benefits, making it the preferred method for safeguarding WordPress REST API endpoints.



WordPress REST API Authentication

WordPress REST API Authentication plugin provides security from unauthorized access to your WordPress REST APIs. Our plugin provides multiple authentication methods like Basic Authentication, API Key Authentication, OAuth 2.0 Authentication, and JWT Authentication.

Know More   

  • Log into your WordPress instance as an admin.
  • Go to the WordPress Dashboard → Plugins and click on Add New.
  • Search for a WordPress REST API Authentication plugin and click on Install Now.
  • Once installed click on Activate.


1. Password Grant:


How to securely register or authenticate WordPress users on external platforms via REST API?

  • If you have a login form in your application and want to authenticate users using their WordPress credentials, the OAuth 2.0 Authentication in REST API method can help you achieve that.
  • The plugin provides a WordPress login API, allowing you to pass the WordPress credentials of a user to this API. Based on validation, you will receive authentication and a response confirming the user's access.
  • In addition, the OAuth 2.0 Authentication in REST API method can also be used to register new users in WordPress using administrator credentials. Through the plugin's OAuth 2.0 token endpoint, you can send WordPress admin credentials to generate a token with administrator capabilities.
  • This token can then be used to perform privileged operations such as user registration. Once generated, the token can be used with the WordPress /users REST API endpoint to securely register users in WordPress without exposing sensitive login information.

2. Client Credentials:


How to securely authenticate or protect WordPress REST API endpoints and register users without using admin user credentials?

  • If you want to access the WordPress REST API without sharing WordPress user credentials, or if you want to register users in WordPress securely without using admin user credentials, the Client Credentials method is the perfect solution.
  • Instead of exposing sensitive login details, you can use the client credentials provided by the plugin, ensuring there is no risk of credential compromise.
  • The plugin acts as an OAuth 2.0 Identity Provider (Server) to issue secure tokens and as a REST API authenticator to validate them.
  • Once obtained, the token can authenticate WordPress REST API endpoints, ensuring secure and reliable access.
  • There’s no need to add this flow implementation, as we have not included a flow diagram, and the implementation has already been explained through two use cases.
    • 1. The REST API request will be made with appropriate parameters to obtain the token for our plugin. Our plugin will act as an OAuth 2.0 Identity provider and provides the access token.

      2. The actual REST API request to access the resource will be made with the access token received from the last step passed in the Authorization header with token type as Bearer. The plugin now acts as Authenticator to authenticate the API on the basis of token validity. If the token is validated successfully then the API requester will be allowed to access the resource else on the failed validation the error response will be returned.


Related Usecase:

  • How to login or register users using WordPress REST API?
  • How to authenticate WordPress users using the API?


  • Go to the Configure API Authentication tab in the plugin and select OAuth 2.0 Authentication as the method.
  • Select the OAuth 2.0 Grant Type as Password Grant.
  • Choose the Token Type as either Access Token or JWT Token. The Access Token is a random string, while the JWT Token contains encoded user details and is recommended if you need to fetch WordPress profile details later.
  • WordPress REST API OAuth 2.0 Authentication method
  • Click on Save Configuration to enable OAuth 2.0 authentication and secure your WordPress REST API endpoints.
  • After saving, you will get the Client ID, Client Secret, and Token Endpoint for obtaining the security token.
  • Once setup is complete, make two API calls: first to obtain the Access/JWT token, and then to use that token to authenticate WordPress REST API requests.

    I : Get the Token

    • To get the access token/JWT Token, you would need to make an API Call to OAuth 2.0 Token endpoint provided by our plugin shown as below
    • 
        Request: POST https://<domain-name>/wp-json/api/v1/token
        Body:
        grant_type =<password>
        username =<wordpress username>
        password = <wordpress password>
        client_id =<client id>
        
        Sample curl Request Format-
        curl -d "grant_type=password&username=<wordpress_username>&password=<wordpress_password>&client_id=<client_id>"
        -X POST http://<wp_base_url>/wp-json/api/v1/token
        -H 'app-name:TheAppName'
        
    • Using Refresh Token
    • 
        Request: POST  https://<domain-name>/wp-json/api/v1/token
        Body:
        grant_type = <refresh_token>
        refresh_token =  <Refresh Token>
        
        Sample curl Request Format-
        curl -d "grant_type=refresh_token&refresh_token=<refresh_token>&client_id=<client_id>&client_secret=<client_secret>"
        -X POST http://<wp_base_url>/wp-json/api/v1/token
        -H 'app-name:TheAppName'
        

    II : Send actual WordPress REST API Request

    • Once you get the access_token / id_token (JWT token) using the OAuth 2.0 password grant flow, you can use it to request the access to the WordPress REST API endpoints as shown below.
    • 
        Request: GET https://<domain-name>/wp-json/wp/v2/posts
        Header: Authorization :Bearer <access_token /id_token>
        
    • NOTE: Above token is valid for 1 hour by default. The same token can be used multiple times for multiple REST API requests before its expiration time. Once the token is expired, new token needs to be created to request the WordPress REST API endpoint access.
  • Check out the Error Response for OAuth 2.0 using Password Grant.


  • In the plugin, go to the Configure API Authentication tab and select OAuth 2.0 Authentication as the method.
  • Choose the OAuth 2.0 Grant Type as Client Credentials Grant.
  • WordPress REST API OAuth 2.0 Authentication method using jwt
  • Click Save Configuration to enable the method.
  • After saving, you will get the Client ID, Client Secret, and Token Endpoint.
  • Next, make two API calls: one to obtain the token and another to use that token for authenticating WordPress REST API requests.
  • I : Get the Token

    • After saving above configuration, you will get the Client ID, Client-Secret & Token Endpoint.
    • get the token, you need to send a token request as shown below
    • 
        Request: POST https://<domain-name>/wp-json/api/v1/token
        Body:
        grant_type = <client_credentials>
        client_id = <client id>
        client_secret = <client secret>
        
        Sample curl Request Format-
        curl -d "grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>"
        -X POST http://<wp_base_url>/wp-json/api/v1/token
        -H 'app-name:TheAppName'
        
    • Using Refresh Token
    • 
        Request: POST https://<domain-name>/wp-json/api/v1/token
        Body:
        grant_type = <refresh_token>
        refresh_token = <Refresh Token>
        
        Sample curl Request Format-
        curl -d "grant_type=refresh_token&refresh_token=<refresh_token>&client_id=<client_id>&client_secret=<client_secret>"
        -X POST http://<wp_base_url>/wp-json/api/v1/token
        -H 'app-name:TheAppName'
        

    II : Send API Request

    • Once you get the access_token / id_token by OAuth 2.0 client credentials, you can use it to request the access to the WordPress REST API endpoint as shown below.
    • 
        Request: GET https://<domain-name>/wp-json/wp/v2/posts
        Header: Authorization : Bearer <access_token /id_token>
    • NOTE: Above token is valid for 1 hour by default. The same token can be used multiple times for multiple REST API requests before its expiration time. Once the token is expired, new token needs to be created to request the WordPress REST API endpoint access.
  • Check out the Error Response for OAuth 2.0 using Client Credentials Grant.
  • Check out the developer documentation for more details.


The OAuth 2.0 method provides you with additional security facilities, allowing you to have more control over the tokens and thereby enhancing the overall security of your WordPress website.


1. Refresh Token -



WordPress REST API OAuth 2.0 Authentication Refresh Token

Enable the Refresh Token option to receive a refresh token along with the access token or JWT token.

Users can continue accessing the same resources without logging in again.

Refresh tokens allow issuing short-lived access tokens for better security.

When an access token expires, the refresh token securely generates a new one.


2. Revoke Token -



WordPress REST API OAuth 2.0 Authentication Revoke Token

Enable the Revoke Token option to invalidate an existing access token or JWT token.

Once revoked, the token cannot be used to authenticate WordPress REST APIs.

The REST API first validates app credentials and checks if the token belongs to the requesting app.

If validation passes, the token is invalidated; failed validations return an error.


 
  var client = new RestClient("http://<wp_base_url>/wp-json/api/v1/token ");
  client.Timeout = -1;
  var request = new RestRequest(Method.POST);
  request.AlwaysMultipartFormDatatrue;    
  request.AddHeader("app-name", "TheAppName");
  request.AddParameter("grant_type", "client_credentials");
  request.AddParameter("client_id", "<client_id>");     
  request.AddParameter("client_secret", "<client_secret>");
  IRestResponse response = client.Execute(request);
  Console.WriteLine(response.Content);
  
 
  OkHttpClient client  = new OkHttpClient().newBuilder().build();
  MediaType mediaType = MediaType.parse("text/plain");    
  RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)    
  .addFormDataPart("grant_type", "client_credentials");
  .addFormDataPart("client_id", "<client_id>");     
  .addFormDataPart("client_secret", "<client_secret>");
   .build();
  Request request  = new Request.Builder()  
  .url("http://<wp_base_url>/wp-json/api/v1/token ")
  .method("POST", null)
  .addHeader("app-name", "TheAppName")
   .build();
  Response responseclient.newCall(request).execute();
          
 
  var form = new FormData();
  form.append("grant_type", "client_credentials");
  form.append("client_id", "<client_id>");     
  form.append("client_secret", "<client_secret>");
  
  var settings  = {
      "url": "http://<wp_base_url>/wp-json/api/v1/token ",
      "method": "POST",
      "timeout": 0,
      "headers": {"app-name": "TheAppName"}
      "processData": false,
      "mimeType": "multipart/form-data",
      "contentType": false,
      "data": form
    };
    
    $.ajax(settings).done(function (response)  {
      console.log(response);
    });
    
 
  <?php
   $curl = curl_init();
  curl_setopt_array($curl, array 
      (  
          CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/api/v1/token',
          CURLOPT_RETURNTRANSFER => true,
          CURLOPT_ENCODING => '',
          CURLOPT_MAXREDIRS => 10,
          CURLOPT_TIMEOUT => 0,
          CURLOPT_FOLLOWLOCATION => true,
          CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
          CURLOPT_CUSTOMREQUEST => 'POST',
          CURLOPT_HTTPHEADER => array( 'app-name: TheAppName' )
          CURLOPT_POSTFIELDS => array('grant_type' => 'client_credentials','client_id' => '<client_id>','client_secret' => '<client_secret>'),
  
          ));          
        
  $response = curl_exec($curl);
  curl_close($curl);    
  echo $response;
          
 
  import http.client
  import mimetypes
  from codecs import encode
      
  conn   = http.client.HTTPSConnection("<wp_base_url>")
  dataList= []
  boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
  dataList.append(encode('--' + boundary))
  dataList.append(encode('Content-Disposition: form-data; name=grant_type;'))    
  
  dataList.append(encode('Content-Type: {}'.format('text/plain')))    
  dataList.append(encode(''))    
  
  dataList.append(encode("client_credentials"))
  dataList.append(encode('--' + boundary))    
  dataList.append(encode('Content-Disposition: form-data; name=client_id;'))    
  
  dataList.append('Content-Type: {}'.format('text/plain')))
  dataList.append(encode(''))    
  
  dataList.append(encode("<client_id>"))    
  dataList.append(encode('--'+ boundary))    
  dataList.append(encode('Content-Disposition: form-data; name=client_secret;'))
  
  dataList.append(encode('Content-Type: {}'.format('text/plain')))
  dataList.append(encode(''))
  
  
  dataList.append(encode("<client_secret<"))    
  dataList.append(encode('--'+boundary+'--'))
  dataList.append(encode(''))
  body  = b'\r\n'.join(dataList)    
  payload= body
  headers = {
    'Content-type': 'multipart/form-data; boundary={}'.format(boundary),
    'app-name': 'TheAppName'
  }
  conn.request("POST", "/wp-json/api/v1/token ", payload, headers)
  res= conn.getresponse()    
  data = res.read()    
  print (data.decode("utf-8"))   
  
 
  var client = new RestClient("http://<wp_base_url>/wp-json/api/v1/token ");
  client.Timeout = -1;
  var request = new RestRequest(Method.POST);
  request.AlwaysMultipartFormData true;
  request.AddHeader("app-name", "TheAppName");
  request.AddParameter("grant_type", "password");
  request.AddParameter("username", "<wordpress_username>");     
  request.AddParameter("password", "<wordpress_password>");    
  request.AddParameter("client_id", "<client_id>");
  IRestResponse response = client.Execute(request);
  Console.WriteLine(response.Content);
  
 
  OkHttpClient client  = new OkHttpClient().newBuilder().build();
  MediaType mediaType = MediaType.parse("text/plain");    
  RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)    
  .addFormDataPart("grant_type", "password");
  .addFormDataPart("username", "<wordpress_username>");     
  .addFormDataPart("password", "<wordpress_password>");    
  .addFormDataPart("client_id", "<client_id>");
   .build();
  Request request  = new Request.Builder()  
  .url("http://<wp_base_url>/wp-json/api/v1/token ")
  .method("POST", null)
  .addHeader("app-name", "TheAppName")
   .build();
  Response responseclient.newCall(request).execute();
        
 
  var form = new FormData();
  form.append("grant_type", "password");
  form.append("username", "<wordpress_username>");     
  form.append("password", "<wordpress_password>");    
  form.append("client_id", "<client_id>");
  
  var settings  = {
      "url": "http://<wp_base_url>/wp-json/api/v1/token ",
      "method": "POST",
      "timeout": 0,
      "headers": {"app-name": "TheAppName"}
      "processData": false,
      "mimeType": "multipart/form-data",
      "contentType": false,
      "data": form
      };
      
      $.ajax(settings).done(function (response)  {
      console.log(response);
      });
      
 
  <?php
   $curl = curl_init();
  curl_setopt_array($curl, array 
      ( CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/api/v1/token%20',
          CURLOPT_RETURNTRANSFER => true,
          CURLOPT_ENCODING => '',
          CURLOPT_MAXREDIRS => 10,
          CURLOPT_TIMEOUT => 0,
          CURLOPT_FOLLOWLOCATION => true,
          CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
          CURLOPT_CUSTOMREQUEST => 'POST',
          CURLOPT_HTTPHEADER => array( 'app-name: TheAppName' )
          CURLOPT_POSTFIELDS => array('username' => '<wordpress_username>','password' => '<wordpress_password>'),
          ));
          
  $response = curl_exec($curl);
  curl_close($curl);    
  echo $response;
        
 
  import http.client
  import mimetypes
  from codecs import encode
      
  conn   = http.client.HTTPSConnection("<wp_base_url>")
  dataList= []
  boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
  dataList.append(encode('--' + boundary))
  dataList.append(encode('Content-Disposition: form-data; name=grant_type;'))    
  
  dataList.append(encode('Content-Type: {}'.format('text/plain')))    
  dataList.append(encode(''))    
  
  dataList.append(encode("password"))
  dataList.append(encode('--' + boundary))    
  dataList.append(encode('Content-Disposition: form-data; name=username;')    
  
  dataList.append('Content-Type: {}'.format('text/plain')))
  dataList.append(encode(''))    
  
  dataList.append(encode("<wordpress_username>"))    
  dataList.append(encode('--'+ boundary))    
  dataList.append(encode('Content-Disposition: form-data; name=password;'))
  
  dataList.append(encode('Content-Type: {}'.format('text/plain')))
  dataList.append(encode(''))
  
  dataList.append(encode("<wordpress_password<"))    
  dataList.append(encode('--'+boundary))
  dataList.append(encode('Content-Disposition: form-data; name=client_id;'))    
  
  dataList.append(encode('Content-Type: {}'.format('text/plain')))
  dataList.append(encode(''))
  
  dataList.append(encode("<client_id>"))    
  dataList.append(encode('--'+boundary+'--'))    
  dataList.append(encode(''))    
  
  body  = b'\r\n'.join(dataList)    
  payload= body
  headers = {
    'Content-type': 'multipart/form-data; boundary={}'.format(boundary),
    'app-name': 'TheAppName'
  conn.request("POST", "/wp-json/api/v1/token ", payload, headers)
  res= conn.getresponse()    
  data = res.read()    
  print (data.decode("utf-8"))   
  

 
  var client = new RestClient("http://<wp_base_url>/wp-json/api/v1/token ");
  client.Timeout = -1;
  var request = new RestRequest(Method.POST);
  request.AlwaysMultipartFormDatatrue;    
  request.AddHeader("app-name", "TheAppName");
  request.AddParameter("grant_type", "refresh_token");
  request.AddParameter("client_id", "<client_id>");     
  request.AddParameter("client_secret", "<client_secret>");
  request.AddParameter("refresh_token", "<refresh_token>");
  IRestResponse response = client.Execute(request);
  Console.WriteLine(response.Content);
  
 
  OkHttpClient client  = new OkHttpClient().newBuilder().build();
  MediaType mediaType = MediaType.parse("text/plain");    
  RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)    
  .addFormDataPart("grant_type", "refresh_token");
  .addFormDataPart("client_id", "<client_id>");     
  .addFormDataPart("client_secret", "<client_secret>");
  .addFormDataPart("refresh_token", "<refresh_token>");
   .build();
  Request request  = new Request.Builder()  
  .url("http://<wp_base_url>/wp-json/api/v1/token ")
  .method("POST", null)
  .addHeader("app-name", "TheAppName")
   .build();
  Response responseclient.newCall(request).execute();
          
 
  var form = new FormData();
  form.append("grant_type", "refresh_token");
  form.append("client_id", "<client_id>");     
  form.append("client_secret", "<client_secret>");
  form.append("refresh_token", "<refresh_token>");
  
  var settings  = {
      "url": "http://<wp_base_url>/wp-json/api/v1/token ",
      "method": "POST",
      "timeout": 0,
      "headers": {"app-name": "TheAppName"}
      "processData": false,
      "mimeType": "multipart/form-data",
      "contentType": false,
      "data": form
    };
    
    $.ajax(settings).done(function (response)  {
      console.log(response);
    });
    
 
  <?php
   $curl = curl_init();
  curl_setopt_array($curl, array 
      (  
          CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/api/v1/token',
          CURLOPT_RETURNTRANSFER => true,
          CURLOPT_ENCODING => '',
          CURLOPT_MAXREDIRS => 10,
          CURLOPT_TIMEOUT => 0,
          CURLOPT_FOLLOWLOCATION => true,
          CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
          CURLOPT_CUSTOMREQUEST => 'POST',
          CURLOPT_HTTPHEADER => array( 'app-name: TheAppName' )
          CURLOPT_POSTFIELDS => array('grant_type' => 'refresh_token','client_id' => '<client_id>','client_secret' => '<client_secret>','refresh_token' => '<refresh_token>'),
  
          ));          
        
  $response = curl_exec($curl);
  curl_close($curl);    
  echo $response;
          
 
  import http.client
  import mimetypes
  from codecs import encode
      
  conn   = http.client.HTTPSConnection("<wp_base_url>")
  dataList= []
  boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
  dataList.append(encode('--' + boundary))
  dataList.append(encode('Content-Disposition: form-data; name=grant_type;'))    
  
  dataList.append(encode('Content-Type: {}'.format('text/plain')))    
  dataList.append(encode(''))    
  
  dataList.append(encode("refresh_token"))
  dataList.append(encode('--' + boundary))    
  dataList.append(encode('Content-Disposition: form-data; name=client_id;'))    
  
  dataList.append('Content-Type: {}'.format('text/plain')))
  dataList.append(encode(''))    
  
  dataList.append(encode("<client_id>"))    
  dataList.append(encode('--'+ boundary))    
  dataList.append(encode('Content-Disposition: form-data; name=client_secret;'))
  
  dataList.append(encode('Content-Type: {}'.format('text/plain')))
  dataList.append(encode(''))
  
  dataList.append(encode("<client_id>"))    
  dataList.append(encode('--'+ boundary))    
  dataList.append(encode('Content-Disposition: form-data; name=refresh_token;'))    
  
  dataList.append(encode('Content-Type: {}'.format('text/plain')))
  dataList.append(encode(''))
  
  dataList.append(encode("<refresh_token<")) 
  dataList.append(encode('--'+boundary+'--'))
  dataList.append(encode(''))
  
  body  = b'\r\n'.join(dataList)    
  payload= body
  headers = {
    'Content-type': 'multipart/form-data; boundary={}'.format(boundary),
    'app-name': 'TheAppName'     
  
  conn.request("POST", "/wp-json/api/v1/token ", payload, headers)
  res= conn.getresponse()    
  data = res.read()    
  print (data.decode("utf-8"))   
  
 
  var client = new RestClient("http://<wp_base_url>/wp-json/wp/v2/posts");
  client.Timeout = -1;
  var request = new RestRequest(Method.GET);
  request.AddHeader = ("Authorization", "Bearer < access_token / id_token >");
  request.AddHeader = ("app-name", "TheAppName");
  IRestResponse response = client.Execute(request);
  Console.WriteLine(response.Content);
  
 
  OkHttpClient client  = new OkHttpClient().newBuilder().build();
  MediaType mediaType = MediaType.parse("text/plain");    
  RequestBody body =  RequestBody.create(mediaType, ""); 
  Request request  = new Request.Builder()
  .url("http://<wp_base_url>//wp-json/wp/v2/posts")
  .method("GET", body)
  .addHeader = ("Authorization", "Bearer < access_token / id_token >"); 
  .addHeader = ("app-name", "TheAppName"); 
   .build();
  Response responseclient.newCall(request).execute();
        
 
  var settings  = {
      "url": "http://<wp_base_url>/wp-json/wp/v2/posts ",
      "method": "GET",
      "timeout": 0,
      "headers": {
        "Authorization": "Bearer < access_token / id_token >",
        "app-name": "TheAppName"
      },
    };      
      
      $.ajax(settings).done(function (response)  {
      console.log(response);
      });
      
 
  <?php
   $curl = curl_init();
  curl_setopt_array($curl, array 
      ( 
          curl_setopt_array($curl, array(
          CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/wp/v2/posts%20',
          CURLOPT_RETURNTRANSFER => true,
          CURLOPT_ENCODING => '',
          CURLOPT_MAXREDIRS => 10,
          CURLOPT_TIMEOUT => 0,
          CURLOPT_FOLLOWLOCATION => true,
          CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
          CURLOPT_CUSTOMREQUEST => 'GET',
          CURLOPT_HTTPHEADER => array(
              'Authorization: Bearer < access_token / id_token >',
              'app-name: TheAppName'
  );
  ));
  
  $response = curl_exec($curl);
  curl_close($curl);    
  echo $response;
        
 
   import http.client
  
      
  conn   = http.client.HTTPSConnection("<wp_base_url>")
  payload = "
  headers =  {
      'Authorization': 'Bearer < access_token / id_token >',
      'app-name': 'TheAppName',
    }
  
  conn.request("GET", "/wp-json/wp/v2/posts ", payload, headers)    
  res= conn.getresponse()    
  data = res.read()    
  print (data.decode("utf-8"))   
  

  • Sample request to obtain token:
  • You can download the postman request sample from here.
  • Now extract the zip file and import the extracted json file into the Postman application.
  • WordPress REST API OAuth 2.0 Authentication method postman implementation
  • Example
  • WordPress REST API OAuth 2.0 Authentication method postman replace url actual resource
  • Sample request format to request resources using the token obtained in the last step.
  • You can download the postman request sample from here.
  • Now extract the zip file and import the extracted json file into the Postman application.
  • WordPress REST API OAuth 2.0 Authentication method postman implementation
  • Example
  • WordPress REST API OAuth 2.0 Authentication method postman replace url actual resource

  • Sample request to obtain token:
  • You can download the postman request sample from here.
  • Now extract the zip file and import the extracted json file into the Postman application.
  • WordPress REST API OAuth 2.0 Authentication method postman implementation
  • Example
  • WordPress REST API OAuth 2.0 Authentication method postman replace url actual resource

  • You can download the postman request sample from here.
  • Now extract the zip file and import the extracted json file into the Postman application.
  • WordPress REST API OAuth 2.0 Authentication method postman implementation
  • Example
  • WordPress REST API OAuth 2.0 Authentication method postman url actual resource


1. Role-Based REST API restriction:


This feature restricts WordPress REST API access based on user roles. You can allowlist specific roles that are permitted to access certain REST API resources. When a REST API request is made, the user's role is checked, and access is granted only if the role is on the allowlist.


How to configure role-based REST API restriction in WordPress?

  • Go to the plugin Advanced Settings tab.
  • In the Role-Based Restriction section, all roles are allowed to access APIs by default.
  • Enable the checkbox next to the roles you want to restrict from accessing the APIs.
  • WordPress REST API Basic Authentication method postman implementation
  • In the above screenshot, the subscriber role checkbox is enabled. So whenever an API request is made by the user with his role as subscriber then that user won’t be allowed to access the requested resource.

Note: The Role-based restriction feature is valid for Basic authentication (Username: password), JWT method, and OAuth 2.0 (Password grant).


2. Custom Header:


The Custom Header feature lets you use a custom header instead of the default 'Authorization' header.

This adds an extra layer of security because the REST API will only accept requests with your defined custom header name. If someone tries to send a request using the default 'Authorization' header, access will be denied.


How to configure custom header for WordPress REST API authentication?

  • Go to the plugin Advanced Settings tab.
  • In the Custom Header section, enter your preferred header name in the textbox.
  • Save changes to apply the new custom header for API requests.
  • WordPress REST API Basic Authentication method postman implementation

3. Exclude REST APIs:


The Exclude REST APIs feature lets you allow specific REST API endpoints to be accessed without authentication. These excluded APIs become publicly available, making them accessible without requiring a token or login.


How to configure excluded REST API in JWT authentication?

  • Go to the plugin Advanced Settings tab.
  • In the Exclude REST APIs section, enter your API endpoints in the required format.
  • The entered APIs will be excluded from authentication and available for public access.
  • WordPress REST API Basic Authentication method postman implementation
  • Example: Suppose if you want to exclude the REST API ‘ '<your domain> /wp-json/wp/v2/posts’ then you have to enter ‘/wp/v2/posts’ in the textbox.

4. Enable Advanced Encryption for the tokens using HMAC :


This feature is available in the Basic Authentication method. By default, tokens are encrypted using Base64 encoding, but with the advanced option, you can enable HMAC encryption for tokens. HMAC provides a much higher level of security, ensuring that API requests are strongly protected against tampering and unauthorized access.

How to configure HMAC encryption for tokens in WordPress Basic Authentication?

  • Go to the plugin Advanced Settings tab and open the Token Encryption Method section.
  • Select HMAC instead of Base64, then save changes to apply secure encryption for all tokens.
  • WordPress REST API Basic Authentication method postman implementation



Get Full-featured Trial



 Thank you for your response. We will get back to you soon.

Something went wrong. Please submit your query again

Integrate the External / Third-party REST API Endpoints

Need Help?

Mail us on apisupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.


ADFS_sso ×
Hello there!

Need Help? We are right here!

support