WP REST API Authentication Setup Guide



     We have provided below Authentication Methods in our WordPress plugin.

    • Basic Authentication
      • 1. Username:Password

        2. Client-ID:Client-Secret

    • API Key Authentication
    • OAuth 2.0 Authentication
      • 1. Password Grant

        2. Client Credentials Grant

    • Third Party Provider Authentication

     Applications/Use-Cases:

    1. Basic Authentication: If you want to protect your WP REST APIs(eg. post, pages and other REST APIs) with users login credentials or client-id:client-secret, then you can opt for this method. It is recommended that you should use this method on HTTPS or secure socket layer.

    2. API Key Authentication: If you want to protect your WP REST APIs(eg. post, pages and other REST APIs) from unauthenticated users but you don’t want to share users login credentials or client id, secret to authenticate the REST API, then you can use API Key authentication, which will generate a random authentication key for you. Using this key, you can authenticate any REST API on your site.

    3. OAuth 2.0 Authentication: If you are looking for protecting your REST APIs using the access-token/jwt token and at the same time you do not have any third party provider/identity provider, then you should go for OAuth 2.0 Authentication method.In this scenario, our WordPress REST API Authentication works as both OAuth Server and API Authenticator to protect your REST APIs.

    4. Third Party Provider Authentication: If you are looking for protecting/restricting access to your WP REST APIs using your OAuth Provider/Identity provider, then you should go for Third Party Provider Authentication method.
    5. Here, you just need to configure the plugin with Introspection Endpoint/User Info Endpoint provided by your Identity Provider and you will be able to authenticate the API Request using the token provided by your provider application.

     Basic Authentication:

    • Basic Auth using UserName & Password :
      • 1. Select your Authentication method ->Basic Auth and Authentication Key -> Username:Password and click on Save Configuration as shown     below.



        2. After you save the Basic Auth Configuration, to access the WordPress site, you need to send an API request with your respective Authorization     Key. You need to use the request format as shown below.

      Request: GET https://<domain-name>/wp-json/wp/v2/posts
      Header: Authorization : Basic base64encoded <username:password > 
      
      Sample request: GET https://<domain-name>/wp-json/wp/v2/posts Header: Authorization : Basic eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RVFNLZw==
    • Basic Auth using Client-ID & Client Secret :
      • 1. Select your Authentication method ->Basic Auth and Authentication Key -> Client-ID:Client-Secret and click on Save Configuration as     shown below.



        2. After you save the Basic Auth Configuration, user need to send a API request with your respective Authorization Key to access the WordPress site.     You need to use the request format as shown below.

      Request: GET https://<domain-name>/wp-json/wp/v2/posts
      Header: Authorization : Basic base64encoded <client-id:client-secret> 
      
      Sample request: GET https://<domain-name>/wp-json/wp/v2/posts Header: Authorization : Basic eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RVFNLZw==

     API Key Authentication

        1. Select your Authentication method ->API Key and click on Save Configuration as shown below.



        2. Once you save the configuration, you will get the option to Generate New Token, click on Generate New Token button. This token will get     expired when you generate a new token.

        3. Once you generate the API Key(token), you can use it to secure your WordPress page / post.

        4. Users who have this token can access API as shown below.

      Request: GET https://<domain-name>/wp-json/wp/v2/posts
      Header: Authorization : Bearer <token> 
      
      Sample request: GET https://<domain-name>/wp-json/wp/v2/posts Header: Authorization : Bearer kGUfhhzXZuWisofgnkAsuHGDyfw7gfhg5s

     OAuth 2.0 Authentication

    • OAuth 2.0 using Password Grant :
      • 1. Select your Authentication method ->OAuth 2.0 and OAuth 2.0 Grant Type -> Password Grant & Token Type->Access Token/JWT Token     based on your choice and click on Save Configuration as shown below.



        2. Once you click on the save configuration, you will get the Client ID, Client Secret & Token Endpoint.

        3. Here you would need to make two calls:

          i. To get the Token
          ii. To Send an API Request

        Step 1 : Get the Token

        • To get the access token/JWT Token, you would need to make an API Call to Token endpoint as below

          Request:
          POST https://<domain-name>/wp-json/api/v1/token
          Body:
          grant_type = < password >
          &username = < wordpress username >
          &password = < wordpress password >
          &client_id = < client id >
          
        • Using Refresh Token

          Request:
          POST https://<domain-name>/wp-json/api/v1/token
          Body:
          grant_type = < refresh_token >
          &refresh_token = < Refresh Token >
          

        Step 2 : Send API Request

        • Once you get the access_token / id_token, you can use it to request the access to the WordPress site as shown below.

          Request:
          GET https://<domain-name>/wp-json/wp/v2/posts
          
          Header: Authorization : Bearer < access_token / id_token >

        Note : Above token is valid for 1 hour. Users have to create a token each time they want to request the API access.

    • OAuth 2.0 using Client Credentials Grant :
      • 1. Select your Authentication method ->OAuth 2.0 and OAuth 2.0 Grant Type -> Client Credentials Grant & Token Type->Access Token/JWT     Token based on your choice and click on Save Configuration as shown below.



        2. Once you click on the save configuration, you will get the Client ID, Client Secret & Token Endpoint.

        3. Here you would need to make two calls:

          i. To get the Token
          ii. To Send an API Request

        Step 1 : Get the Token

        • After saving above configuration, you will get the Client ID, Client-Secret & Token Endpoint.
        • To get the token, you need to send a token request as shown below

          Request:
          POST https://<domain-name>/wp-json/api/v1/token
          Body:
          grant_type = < client_credentials >
          &client_id = < client id >
          &client_secret = < client secret >
          
        • Using Refresh Token

          Request:
          POST https://<domain-name>/wp-json/api/v1/token
          Body:
          grant_type = < refresh_token >
          &refresh_token = < Refresh Token >
          

        Step 2 : Send API Request

        • Once you get the access_token / id_token, you can use it to request the access to the WordPress site as shown below.

          Request:
          GET https://<domain-name>/wp-json/wp/v2/posts
          Header:
          
          Authorization : Bearer < access_token / id_token >

        Note : Above token is valid for 1 hour. Users have to create a token each time they want to request the API access.

     Authentication using Third Party Provider

        1. Select your Authentication method ->Third party Provider and add Introspection Endpoint provided by your OAuth/OpenID Connect provider     and click on Save Configuration as shown below.


        2. Once you configure the plugin with Introspection Endpoint provided by your provider, try to access your WordPress page/posts using the access     token/id_token provided by your OAuth Provider as shown below.

        Request:
        GET https://<domain-name>/wp-json/wp/v2/posts
        Header:
        access_token : < access_token >
        OR id_token : < id_token >