WordPress REST API Authentication Guide: Complete Tutorial

Update 15/09/25 · Read 3 minute

The WordPress REST API allows developers to interact with WordPress content programmatically. While fetching public data like posts and pages is simple, creating, updating, or deleting content requires authentication.

In this guide, we’ll cover different authentication methods, setup steps, and best practices for working with the WordPress REST API.

Why Authentication is Needed in WordPress REST API

The WordPress REST API lets anyone read public content without authentication. But when you want to create posts, upload media, manage users, or edit WooCommerce products, authentication ensures that only authorized users can make those changes.

WordPress REST API Authentication Methods

1. Cookie Authentication (Default)

  • Works when logged into WordPress.

  • Useful for internal tools and admin usage.

  • Not suitable for headless or external apps.

2. Basic Authentication

  • Requires sending a username and password with each request.

  • Simple but not secure for production without HTTPS.

  • Good for local testing.

Example using Application Passwords:

  1. Go to Users > Profile > Application Passwords in WordPress.

  2. Generate an application password.

  3. Use it in requests:

curl --user username:application_password https://yourdomain.com/wp-json/wp/v2/posts

3. OAuth Authentication

  • Best for public-facing applications with many users.

  • Uses access tokens and secret keys.

  • Requires plugins like WP OAuth Server.

READ :  Cara Mengganti Tema di WordPress: Panduan Pemula

OAuth flow:

  1. User authorizes the app.

  2. App receives an authorization code.

  3. App exchanges the code for an access token.

  4. Token is used for API requests.

4. JWT (JSON Web Token) Authentication

  • Secure and modern method.

  • Perfect for Headless WordPress + Next.js setups.

  • Requires the JWT Authentication for WP REST API plugin.

Steps:

  1. Install and configure the JWT plugin.

  2. Add this line to .htaccess or nginx.conf:

    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

  3. Request a token:

curl -X POST -d "username=admin&password=yourpassword" https://yourdomain.com/wp-json/jwt-auth/v1/token

  1. Use the token in API requests:

curl --header "Authorization: Bearer your_jwt_token" https://yourdomain.com/wp-json/wp/v2/posts

Example: Creating a Post with JWT Authentication

curl -X POST https://yourdomain.com/wp-json/wp/v2/posts \
-H "Authorization: Bearer your_jwt_token" \
-H "Content-Type: application/json" \
-d '{"title":"Hello from API","content":"This post was created via REST API","status":"publish"}'

Best Practices

  • Always use HTTPS when working with authentication.

  • Use Application Passwords or JWT instead of plain credentials.

  • Assign limited roles to API users.

  • Implement token expiration for better security.

  • Monitor activity with audit logs.

FAQ

1. Can I use REST API without authentication?
Yes, but only for public GET requests.

2. Which method is best for headless WordPress with Next.js?
JWT authentication is the most secure and flexible.

3. Do I need plugins for authentication?
Yes, for JWT and OAuth you need plugins. Basic Authentication can use Application Passwords.

READ :  Perbedaan WordPress.com vs WordPress.org: Pilih Mana?

4. Is Basic Authentication safe for production?
No, unless combined with HTTPS. Use JWT or OAuth instead.

5. Can I authenticate multiple users?
Yes, OAuth and JWT support multiple users with different permissions.