What are the different OAuth 2.0 grant types supported?

The plugin supports two main OAuth 2.0 grant types: Password Grant (for user authentication using WordPress credentials) and Client Credentials Grant (for application-to-application authentication without exposing user credentials).

How do I configure OAuth 2.0 authentication for WordPress REST API?

Go to the Configure API Authentication tab in the plugin and select OAuth 2.0 Authentication as the method. Choose your preferred grant type (Password Grant or Client Credentials Grant), select the token type (Access Token or JWT Token), and click Save Configuration. After saving, you'll receive the Client ID, Client Secret, and Token Endpoint for making API calls.

What security features are available with OAuth 2.0?

OAuth 2.0 provides several security features including Refresh Tokens (for extending sessions without re-authentication), Revoke Tokens (for invalidating tokens when needed), Role-Based API restrictions, Custom Headers, API endpoint exclusion, and HMAC encryption for enhanced token security.

Can I revoke OAuth 2.0 tokens if needed?

Yes, you can revoke OAuth 2.0 tokens to invalidate them before their expiration. Once revoked, the token cannot be used to authenticate WordPress REST APIs. The REST API validates app credentials and checks if the token belongs to the requesting app before processing the revocation.

REST API OAuth 2.0 Authentication Method for WordPress

Q: What is OAuth 2.0 and how does it work with WordPress REST API?

OAuth 2.0 is one of the most widely used methods for securing access to WordPress REST API endpoints. Unlike traditional methods, OAuth 2.0 allows authorization without exposing a user's email or password to external applications. This authentication flow uses the OAuth 2.0 protocol to generate a secure access token or ID token (JWT token), which is then used to authenticate all API requests.

Q: How do refresh tokens work in OAuth 2.0?

Refresh tokens allow users to continue accessing resources without logging in again. They enable issuing short-lived access tokens for better security. When an access token expires, the refresh token securely generates a new one, maintaining the user session while keeping security high.

Overview

OAuth 2.0 is one of the most widely used methods for securing access to REST API endpoints for WordPress. Unlike traditional methods, OAuth 2.0 allows authorization without exposing a user's email or password to external applications. This authentication flow uses the OAuth 2.0 protocol to generate a secure access token or ID token (JWT token), which is then used to authenticate all API requests. Every time a request is made to a REST API endpoint for WordPress, the API verifies the Bearer token to determine whether the requested resources can be accessed. The tokens issued via OAuth 2.0 are highly encrypted and secure, ensuring that sensitive data remains protected. While similar to JWT authentication, OAuth 2.0 provides enhanced security and additional benefits, making it the preferred method for safeguarding REST API endpoints for WordPress.

Download Plugin

Free Trial

REST API Authentication for WordPress

REST API Authentication plugin for WordPress provides security from unauthorized access to your REST APIs for WordPress. Our plugin provides multiple authentication methods like Basic Authentication, API Key Authentication, OAuth 2.0 Authentication, and JWT Authentication.

Know More

Requirements: Download and Installation

Log into your WordPress instance as an admin.
Go to the WordPress Dashboard → Plugins and click on Add New.
Search for a REST API Authentication plugin for WordPress and click on Install Now.
Once installed click on Activate.

UseCase: How to secure REST API using OAuth 2.0 Authentication Method for WordPress?

1. Password Grant:

How to securely register or authenticate WordPress users on external platforms via REST API?

If you have a login form in your application and want to authenticate users using their WordPress credentials, the OAuth 2.0 Authentication in REST API method can help you achieve that.
The plugin provides a login API for WordPress, allowing you to pass the WordPress credentials of a user to this API. Based on validation, you will receive authentication and a response confirming the user's access.
In addition, the OAuth 2.0 Authentication in REST API method can also be used to register new users in WordPress using administrator credentials. Through the plugin's OAuth 2.0 token endpoint, you can send WordPress admin credentials to generate a token with administrator capabilities.
This token can then be used to perform privileged operations such as user registration. Once generated, the token can be used with the WordPress /users REST API endpoint to securely register users in WordPress without exposing sensitive login information.

2. Client Credentials:

How to securely authenticate or protect REST API endpoints for WordPress and register users without using admin user credentials?

If you want to access the REST API for WordPress without sharing WordPress user credentials, or if you want to register users in WordPress securely without using admin user credentials, the Client Credentials method is the perfect solution.
Instead of exposing sensitive login details, you can use the client credentials provided by the plugin, ensuring there is no risk of credential compromise.
The plugin acts as an OAuth 2.0 Identity Provider (Server) to issue secure tokens and as a REST API authenticator to validate them.
Once obtained, the token can authenticate REST API endpoints for WordPress, ensuring secure and reliable access.

There’s no need to add this flow implementation, as we have not included a flow diagram, and the implementation has already been explained through two use cases.

1. The REST API request will be made with appropriate parameters to obtain the token for our plugin. Our plugin will act as an OAuth 2.0 Identity provider and provides the access token.

2. The actual REST API request to access the resource will be made with the access token received from the last step passed in the Authorization header with token type as Bearer. The plugin now acts as Authenticator to authenticate the API on the basis of token validity. If the token is validated successfully then the API requester will be allowed to access the resource else on the failed validation the error response will be returned.

Related Usecase:

How to login or register users using REST API for WordPress?
How to authenticate WordPress users using the API?

Read Use Cases for the following Rest API Authentication Methods:

single sign-on sso for WordPress login form add-on integration

Api Key Authentication

single sign-on sso for login form add-on integration in WordPress

JWT Authentication

single sign-on sso for media restriction add-on integration in WordPress

Basic Authentication

single sign-on sso for discord role mapping in WordPress

Third Party Provider Authentication

How to configure REST API OAuth 2.0 for WordPress using Password Grant?

Go to the Configure API Authentication tab in the plugin and select OAuth 2.0 Authentication as the method.
Select the OAuth 2.0 Grant Type as Password Grant.
Choose the Token Type as either Access Token or JWT Token. The Access Token is a random string, while the JWT Token contains encoded user details and is recommended if you need to fetch WordPress profile details later.

REST API OAuth 2.0 Authentication method for WordPress

Click on Save Configuration to enable OAuth 2.0 authentication and secure your REST API endpoints for WordPress.
After saving, you will get the Client ID, Client Secret, and Token Endpoint for obtaining the security token.

Once setup is complete, make two API calls: first to obtain the Access/JWT token, and then to use that token to authenticate REST API requests in WordPress.

I : Get the Token

To get the access token/JWT Token, you would need to make an API Call to OAuth 2.0 Token endpoint provided by our plugin shown as below


    Request: POST https://<domain-name>/wp-json/api/v1/token
    Body:
    grant_type =<password>
    username =<wordpress username>
    password = <wordpress password>
    client_id =<client id>
    
    Sample curl Request Format-
    curl -d "grant_type=password&username=<wordpress_username>&password=<wordpress_password>&client_id=<client_id>"
    -X POST http://<wp_base_url>/wp-json/api/v1/token
    -H 'app-name:TheAppName'

Using Refresh Token


    Request: POST  https://<domain-name>/wp-json/api/v1/token
    Body:
    grant_type = <refresh_token>
    refresh_token =  <Refresh Token>
    
    Sample curl Request Format-
    curl -d "grant_type=refresh_token&refresh_token=<refresh_token>&client_id=<client_id>&client_secret=<client_secret>"
    -X POST http://<wp_base_url>/wp-json/api/v1/token
    -H 'app-name:TheAppName'

II : Send actual REST API Request for WordPress

Once you get the access_token / id_token (JWT token) using the OAuth 2.0 password grant flow, you can use it to request the access to the REST API endpoints for WordPress as shown below.


    Request: GET https://<domain-name>/wp-json/wp/v2/posts
    Header: Authorization :Bearer <access_token /id_token>

NOTE: Above token is valid for 1 hour by default. The same token can be used multiple times for multiple REST API requests before its expiration time. Once the token is expired, new token needs to be created to request the REST API endpoint access of WordPress.

Check out the Error Response for OAuth 2.0 using Password Grant.

How to configure REST API OAuth 2.0 for WordPress using Client Credentials Grant?

In the plugin, go to the Configure API Authentication tab and select OAuth 2.0 Authentication as the method.
Choose the OAuth 2.0 Grant Type as Client Credentials Grant.

REST API OAuth 2.0 Authentication method for WordPress using jwt

Click Save Configuration to enable the method.
After saving, you will get the Client ID, Client Secret, and Token Endpoint.
Next, make two API calls: one to obtain the token and another to use that token for authenticating REST API requests in WordPress.

I : Get the Token

After saving above configuration, you will get the Client ID, Client-Secret & Token Endpoint.
get the token, you need to send a token request as shown below


    Request: POST https://<domain-name>/wp-json/api/v1/token
    Body:
    grant_type = <client_credentials>
    client_id = <client id>
    client_secret = <client secret>
    
    Sample curl Request Format-
    curl -d "grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>"
    -X POST http://<wp_base_url>/wp-json/api/v1/token
    -H 'app-name:TheAppName'

Using Refresh Token


    Request: POST https://<domain-name>/wp-json/api/v1/token
    Body:
    grant_type = <refresh_token>
    refresh_token = <Refresh Token>
    
    Sample curl Request Format-
    curl -d "grant_type=refresh_token&refresh_token=<refresh_token>&client_id=<client_id>&client_secret=<client_secret>"
    -X POST http://<wp_base_url>/wp-json/api/v1/token
    -H 'app-name:TheAppName'

II : Send API Request

Once you get the access_token / id_token by OAuth 2.0 client credentials, you can use it to request the access to the REST API endpoint for WordPress as shown below.


    Request: GET https://<domain-name>/wp-json/wp/v2/posts
    Header: Authorization : Bearer <access_token /id_token>

NOTE: Above token is valid for 1 hour by default. The same token can be used multiple times for multiple REST API requests before its expiration time. Once the token is expired, new token needs to be created to request the REST API endpoint access in WordPress.

Check out the Error Response for OAuth 2.0 using Client Credentials Grant.
Check out the developer documentation for more details.

Additional Security Features

The OAuth 2.0 method provides you with additional security facilities, allowing you to have more control over the tokens and thereby enhancing the overall security of your WordPress website.

1. Refresh Token -

REST API OAuth 2.0 Authentication for Refresh Token in WordPress

Enable the Refresh Token option to receive a refresh token along with the access token or JWT token.

Users can continue accessing the same resources without logging in again.

Refresh tokens allow issuing short-lived access tokens for better security.

When an access token expires, the refresh token securely generates a new one.

2. Revoke Token -

REST API OAuth 2.0 Authentication for Revoke Token in WordPress

Enable the Revoke Token option to invalidate an existing access token or JWT token.

Once revoked, the token cannot be used to authenticate REST APIs in WordPress.

The REST API first validates app credentials and checks if the token belongs to the requesting app.

If validation passes, the token is invalidated; failed validations return an error.

Code samples in programming languages

Client Credentials
Password Grant

 
    var client = new RestClient("http://<wp_base_url>/wp-json/api/v1/token ");
    client.Timeout = -1;
    var request = new RestRequest(Method.POST);
    request.AlwaysMultipartFormDatatrue;    
    request.AddHeader("app-name", "TheAppName");
    request.AddParameter("grant_type", "client_credentials");
    request.AddParameter("client_id", "<client_id>");     
    request.AddParameter("client_secret", "<client_secret>");
    IRestResponse response = client.Execute(request);
    Console.WriteLine(response.Content);

 
    OkHttpClient client  = new OkHttpClient().newBuilder().build();
    MediaType mediaType = MediaType.parse("text/plain");    
    RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)    
    .addFormDataPart("grant_type", "client_credentials");
    .addFormDataPart("client_id", "<client_id>");     
    .addFormDataPart("client_secret", "<client_secret>");
     .build();
    Request request  = new Request.Builder()  
    .url("http://<wp_base_url>/wp-json/api/v1/token ")
    .method("POST", null)
    .addHeader("app-name", "TheAppName")
     .build();
    Response responseclient.newCall(request).execute();

 
    var form = new FormData();
    form.append("grant_type", "client_credentials");
    form.append("client_id", "<client_id>");     
    form.append("client_secret", "<client_secret>");
    
    var settings  = {
        "url": "http://<wp_base_url>/wp-json/api/v1/token ",
        "method": "POST",
        "timeout": 0,
        "headers": {"app-name": "TheAppName"}
        "processData": false,
        "mimeType": "multipart/form-data",
        "contentType": false,
        "data": form
      };
      
      $.ajax(settings).done(function (response)  {
        console.log(response);
      });

 
    <?php
     $curl = curl_init();
    curl_setopt_array($curl, array 
        (  
            CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/api/v1/token',
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_ENCODING => '',
            CURLOPT_MAXREDIRS => 10,
            CURLOPT_TIMEOUT => 0,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_CUSTOMREQUEST => 'POST',
            CURLOPT_HTTPHEADER => array( 'app-name: TheAppName' )
            CURLOPT_POSTFIELDS => array('grant_type' => 'client_credentials','client_id' => '<client_id>','client_secret' => '<client_secret>'),
    
            ));          
          
    $response = curl_exec($curl);
    curl_close($curl);    
    echo $response;

 
    import http.client
    import mimetypes
    from codecs import encode
        
    conn   = http.client.HTTPSConnection("<wp_base_url>")
    dataList= []
    boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
    dataList.append(encode('--' + boundary))
    dataList.append(encode('Content-Disposition: form-data; name=grant_type;'))    
    
    dataList.append(encode('Content-Type: {}'.format('text/plain')))    
    dataList.append(encode(''))    
    
    dataList.append(encode("client_credentials"))
    dataList.append(encode('--' + boundary))    
    dataList.append(encode('Content-Disposition: form-data; name=client_id;'))    
    
    dataList.append('Content-Type: {}'.format('text/plain')))
    dataList.append(encode(''))    
    
    dataList.append(encode("<client_id>"))    
    dataList.append(encode('--'+ boundary))    
    dataList.append(encode('Content-Disposition: form-data; name=client_secret;'))
    
    dataList.append(encode('Content-Type: {}'.format('text/plain')))
    dataList.append(encode(''))
    
    
    dataList.append(encode("<client_secret<"))    
    dataList.append(encode('--'+boundary+'--'))
    dataList.append(encode(''))
    body  = b'\r\n'.join(dataList)    
    payload= body
    headers = {
      'Content-type': 'multipart/form-data; boundary={}'.format(boundary),
      'app-name': 'TheAppName'
    }
    conn.request("POST", "/wp-json/api/v1/token ", payload, headers)
    res= conn.getresponse()    
    data = res.read()    
    print (data.decode("utf-8"))

 
    var client = new RestClient("http://<wp_base_url>/wp-json/api/v1/token ");
    client.Timeout = -1;
    var request = new RestRequest(Method.POST);
    request.AlwaysMultipartFormData true;
    request.AddHeader("app-name", "TheAppName");
    request.AddParameter("grant_type", "password");
    request.AddParameter("username", "<wordpress_username>");     
    request.AddParameter("password", "<wordpress_password>");    
    request.AddParameter("client_id", "<client_id>");
    IRestResponse response = client.Execute(request);
    Console.WriteLine(response.Content);

 
    OkHttpClient client  = new OkHttpClient().newBuilder().build();
    MediaType mediaType = MediaType.parse("text/plain");    
    RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)    
    .addFormDataPart("grant_type", "password");
    .addFormDataPart("username", "<wordpress_username>");     
    .addFormDataPart("password", "<wordpress_password>");    
    .addFormDataPart("client_id", "<client_id>");
     .build();
    Request request  = new Request.Builder()  
    .url("http://<wp_base_url>/wp-json/api/v1/token ")
    .method("POST", null)
    .addHeader("app-name", "TheAppName")
     .build();
    Response responseclient.newCall(request).execute();

 
    var form = new FormData();
    form.append("grant_type", "password");
    form.append("username", "<wordpress_username>");     
    form.append("password", "<wordpress_password>");    
    form.append("client_id", "<client_id>");
    
    var settings  = {
        "url": "http://<wp_base_url>/wp-json/api/v1/token ",
        "method": "POST",
        "timeout": 0,
        "headers": {"app-name": "TheAppName"}
        "processData": false,
        "mimeType": "multipart/form-data",
        "contentType": false,
        "data": form
        };
        
        $.ajax(settings).done(function (response)  {
        console.log(response);
        });

 
    <?php
     $curl = curl_init();
    curl_setopt_array($curl, array 
        ( CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/api/v1/token%20',
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_ENCODING => '',
            CURLOPT_MAXREDIRS => 10,
            CURLOPT_TIMEOUT => 0,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_CUSTOMREQUEST => 'POST',
            CURLOPT_HTTPHEADER => array( 'app-name: TheAppName' )
            CURLOPT_POSTFIELDS => array('username' => '<wordpress_username>','password' => '<wordpress_password>'),
            ));
            
    $response = curl_exec($curl);
    curl_close($curl);    
    echo $response;

 
    import http.client
    import mimetypes
    from codecs import encode
        
    conn   = http.client.HTTPSConnection("<wp_base_url>")
    dataList= []
    boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
    dataList.append(encode('--' + boundary))
    dataList.append(encode('Content-Disposition: form-data; name=grant_type;'))    
    
    dataList.append(encode('Content-Type: {}'.format('text/plain')))    
    dataList.append(encode(''))    
    
    dataList.append(encode("password"))
    dataList.append(encode('--' + boundary))    
    dataList.append(encode('Content-Disposition: form-data; name=username;')    
    
    dataList.append('Content-Type: {}'.format('text/plain')))
    dataList.append(encode(''))    
    
    dataList.append(encode("<wordpress_username>"))    
    dataList.append(encode('--'+ boundary))    
    dataList.append(encode('Content-Disposition: form-data; name=password;'))
    
    dataList.append(encode('Content-Type: {}'.format('text/plain')))
    dataList.append(encode(''))
    
    dataList.append(encode("<wordpress_password<"))    
    dataList.append(encode('--'+boundary))
    dataList.append(encode('Content-Disposition: form-data; name=client_id;'))    
    
    dataList.append(encode('Content-Type: {}'.format('text/plain')))
    dataList.append(encode(''))
    
    dataList.append(encode("<client_id>"))    
    dataList.append(encode('--'+boundary+'--'))    
    dataList.append(encode(''))    
    
    body  = b'\r\n'.join(dataList)    
    payload= body
    headers = {
      'Content-type': 'multipart/form-data; boundary={}'.format(boundary),
      'app-name': 'TheAppName'
    conn.request("POST", "/wp-json/api/v1/token ", payload, headers)
    res= conn.getresponse()    
    data = res.read()    
    print (data.decode("utf-8"))

Refresh Token
Resource Request

 
    var client = new RestClient("http://<wp_base_url>/wp-json/api/v1/token ");
    client.Timeout = -1;
    var request = new RestRequest(Method.POST);
    request.AlwaysMultipartFormDatatrue;    
    request.AddHeader("app-name", "TheAppName");
    request.AddParameter("grant_type", "refresh_token");
    request.AddParameter("client_id", "<client_id>");     
    request.AddParameter("client_secret", "<client_secret>");
    request.AddParameter("refresh_token", "<refresh_token>");
    IRestResponse response = client.Execute(request);
    Console.WriteLine(response.Content);

 
    OkHttpClient client  = new OkHttpClient().newBuilder().build();
    MediaType mediaType = MediaType.parse("text/plain");    
    RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)    
    .addFormDataPart("grant_type", "refresh_token");
    .addFormDataPart("client_id", "<client_id>");     
    .addFormDataPart("client_secret", "<client_secret>");
    .addFormDataPart("refresh_token", "<refresh_token>");
     .build();
    Request request  = new Request.Builder()  
    .url("http://<wp_base_url>/wp-json/api/v1/token ")
    .method("POST", null)
    .addHeader("app-name", "TheAppName")
     .build();
    Response responseclient.newCall(request).execute();

 
    var form = new FormData();
    form.append("grant_type", "refresh_token");
    form.append("client_id", "<client_id>");     
    form.append("client_secret", "<client_secret>");
    form.append("refresh_token", "<refresh_token>");
    
    var settings  = {
        "url": "http://<wp_base_url>/wp-json/api/v1/token ",
        "method": "POST",
        "timeout": 0,
        "headers": {"app-name": "TheAppName"}
        "processData": false,
        "mimeType": "multipart/form-data",
        "contentType": false,
        "data": form
      };
      
      $.ajax(settings).done(function (response)  {
        console.log(response);
      });

 
    <?php
     $curl = curl_init();
    curl_setopt_array($curl, array 
        (  
            CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/api/v1/token',
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_ENCODING => '',
            CURLOPT_MAXREDIRS => 10,
            CURLOPT_TIMEOUT => 0,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_CUSTOMREQUEST => 'POST',
            CURLOPT_HTTPHEADER => array( 'app-name: TheAppName' )
            CURLOPT_POSTFIELDS => array('grant_type' => 'refresh_token','client_id' => '<client_id>','client_secret' => '<client_secret>','refresh_token' => '<refresh_token>'),
    
            ));          
          
    $response = curl_exec($curl);
    curl_close($curl);    
    echo $response;

 
    import http.client
    import mimetypes
    from codecs import encode
        
    conn   = http.client.HTTPSConnection("<wp_base_url>")
    dataList= []
    boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
    dataList.append(encode('--' + boundary))
    dataList.append(encode('Content-Disposition: form-data; name=grant_type;'))    
    
    dataList.append(encode('Content-Type: {}'.format('text/plain')))    
    dataList.append(encode(''))    
    
    dataList.append(encode("refresh_token"))
    dataList.append(encode('--' + boundary))    
    dataList.append(encode('Content-Disposition: form-data; name=client_id;'))    
    
    dataList.append('Content-Type: {}'.format('text/plain')))
    dataList.append(encode(''))    
    
    dataList.append(encode("<client_id>"))    
    dataList.append(encode('--'+ boundary))    
    dataList.append(encode('Content-Disposition: form-data; name=client_secret;'))
    
    dataList.append(encode('Content-Type: {}'.format('text/plain')))
    dataList.append(encode(''))
    
    dataList.append(encode("<client_id>"))    
    dataList.append(encode('--'+ boundary))    
    dataList.append(encode('Content-Disposition: form-data; name=refresh_token;'))    
    
    dataList.append(encode('Content-Type: {}'.format('text/plain')))
    dataList.append(encode(''))
    
    dataList.append(encode("<refresh_token<")) 
    dataList.append(encode('--'+boundary+'--'))
    dataList.append(encode(''))
    
    body  = b'\r\n'.join(dataList)    
    payload= body
    headers = {
      'Content-type': 'multipart/form-data; boundary={}'.format(boundary),
      'app-name': 'TheAppName'     
    
    conn.request("POST", "/wp-json/api/v1/token ", payload, headers)
    res= conn.getresponse()    
    data = res.read()    
    print (data.decode("utf-8"))

 
    var client = new RestClient("http://<wp_base_url>/wp-json/wp/v2/posts");
    client.Timeout = -1;
    var request = new RestRequest(Method.GET);
    request.AddHeader = ("Authorization", "Bearer < access_token / id_token >");
    request.AddHeader = ("app-name", "TheAppName");
    IRestResponse response = client.Execute(request);
    Console.WriteLine(response.Content);

 
    OkHttpClient client  = new OkHttpClient().newBuilder().build();
    MediaType mediaType = MediaType.parse("text/plain");    
    RequestBody body =  RequestBody.create(mediaType, ""); 
    Request request  = new Request.Builder()
    .url("http://<wp_base_url>//wp-json/wp/v2/posts")
    .method("GET", body)
    .addHeader = ("Authorization", "Bearer < access_token / id_token >"); 
    .addHeader = ("app-name", "TheAppName"); 
     .build();
    Response responseclient.newCall(request).execute();

 
    var settings  = {
        "url": "http://<wp_base_url>/wp-json/wp/v2/posts ",
        "method": "GET",
        "timeout": 0,
        "headers": {
          "Authorization": "Bearer < access_token / id_token >",
          "app-name": "TheAppName"
        },
      };      
        
        $.ajax(settings).done(function (response)  {
        console.log(response);
        });

 
    <?php
     $curl = curl_init();
    curl_setopt_array($curl, array 
        ( 
            curl_setopt_array($curl, array(
            CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/wp/v2/posts%20',
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_ENCODING => '',
            CURLOPT_MAXREDIRS => 10,
            CURLOPT_TIMEOUT => 0,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_CUSTOMREQUEST => 'GET',
            CURLOPT_HTTPHEADER => array(
                'Authorization: Bearer < access_token / id_token >',
                'app-name: TheAppName'
    );
    ));
    
    $response = curl_exec($curl);
    curl_close($curl);    
    echo $response;

 
     import http.client
    
        
    conn   = http.client.HTTPSConnection("<wp_base_url>")
    payload = "
    headers =  {
        'Authorization': 'Bearer < access_token / id_token >',
        'app-name': 'TheAppName',
      }
    
    conn.request("GET", "/wp-json/wp/v2/posts ", payload, headers)    
    res= conn.getresponse()    
    data = res.read()    
    print (data.decode("utf-8"))

Postman Samples:

a) OAuth 2.0 password Grant method:

Sample request to obtain token:
You can download the postman request sample from here.
Now extract the zip file and import the extracted json file into the Postman application.

REST API OAuth 2.0 Authentication method for method postman implementation in WordPress

Example

REST API OAuth 2.0 Authentication method for method postman replace url actual resource in WordPress

Sample request format to request resources using the token obtained in the last step.
You can download the postman request sample from here.
Now extract the zip file and import the extracted json file into the Postman application.

REST API OAuth 2.0 Authentication method for postman implementation in WordPress

Example

REST API OAuth 2.0 Authentication method for postman replace url actual resource in WordPress

b) OAuth 2.0 Client Credentials Grant Method:

Sample request to obtain token:
You can download the postman request sample from here.
Now extract the zip file and import the extracted json file into the Postman application.

Example

c) REST API request to obtain the actual resource:

You can download the postman request sample from here.
Now extract the zip file and import the extracted json file into the Postman application.

Example

REST API OAuth 2.0 Authentication method for postman url actual resource in WordPress

Feature Description

1. Role-Based REST API restriction:

This feature restricts REST API access for WordPress based on user roles. You can allowlist specific roles that are permitted to access certain REST API resources. When a REST API request is made, the user's role is checked, and access is granted only if the role is on the allowlist.

How to configure role-based REST API restriction in WordPress?

Go to the plugin Advanced Settings tab.
In the Role-Based Restriction section, all roles are allowed to access APIs by default.
Enable the checkbox next to the roles you want to restrict from accessing the APIs.

REST API Basic Authentication method for postman implementation in WordPress

In the above screenshot, the subscriber role checkbox is enabled. So whenever an API request is made by the user with his role as subscriber then that user won’t be allowed to access the requested resource.

Note: The Role-based restriction feature is valid for Basic authentication (Username: password), JWT method, and OAuth 2.0 (Password grant).

2. Custom Header:

The Custom Header feature lets you use a custom header instead of the default 'Authorization' header.

This adds an extra layer of security because the REST API will only accept requests with your defined custom header name. If someone tries to send a request using the default 'Authorization' header, access will be denied.

How to configure custom header for REST API authentication for WordPress?

Go to the plugin Advanced Settings tab.
In the Custom Header section, enter your preferred header name in the textbox.
Save changes to apply the new custom header for API requests.

REST API Basic Authentication method for WordPress postman implementation

3. Exclude REST APIs:

The Exclude REST APIs feature lets you allow specific REST API endpoints to be accessed without authentication. These excluded APIs become publicly available, making them accessible without requiring a token or login.

How to configure excluded REST API in JWT authentication?

Go to the plugin Advanced Settings tab.
In the Exclude REST APIs section, enter your API endpoints in the required format.
The entered APIs will be excluded from authentication and available for public access.

Example: Suppose if you want to exclude the REST API ‘ '<your domain> /wp-json/wp/v2/posts’ then you have to enter ‘/wp/v2/posts’ in the textbox.

4. Enable Advanced Encryption for the tokens using HMAC :

This feature is available in the Basic Authentication method. By default, tokens are encrypted using Base64 encoding, but with the advanced option, you can enable HMAC encryption for tokens. HMAC provides a much higher level of security, ensuring that API requests are strongly protected against tampering and unauthorized access.

How to configure HMAC encryption for tokens in WordPress Basic Authentication?

Go to the plugin Advanced Settings tab and open the Token Encryption Method section.
Select HMAC instead of Base64, then save changes to apply secure encryption for all tokens.

Request a demo of the plugin

Get Full-featured Trial

Thank you for your response. We will get back to you soon.

Something went wrong. Please submit your query again

Integrate the External / Third-party REST API Endpoints

Need Help?

Mail us on apisupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.

Contents

REST API OAuth 2.0 Authentication Method for WordPress

Overview

Requirements: Download and Installation

UseCase: How to secure REST API using OAuth 2.0 Authentication Method for WordPress?

1. Password Grant:

2. Client Credentials:

Related Usecase:

Read Use Cases for the following Rest API Authentication Methods:

How to configure REST API OAuth 2.0 for WordPress using Password Grant?

I : Get the Token

II : Send actual REST API Request for WordPress

How to configure REST API OAuth 2.0 for WordPress using Client Credentials Grant?

I : Get the Token

II : Send API Request

Additional Security Features

Code samples in programming languages

Postman Samples:

Feature Description

1. Role-Based REST API restriction:

2. Custom Header:

3. Exclude REST APIs:

4. Enable Advanced Encryption for the tokens using HMAC :

Related Articles

Request a demo of the plugin

Get Full-featured Trial

Need Help?