API Key Authentication

The API Key Authentication is one of the simplest method to protect WordPress REST APIs. Once you generate the Bearer Token / API Key you can use it to secure your WordPress page / post. Users who have this Bearer Token can easily access WordPress REST APIs.

In every REST API request it should contain a Authorization Header or you can set a custom Header which will contain a Bearer Token type and the API Key value. So, whenever a client application will make a request to get resources it must contain the Header which have a Valid API Key to authenticate. You can check out the sample request to get all WordPress posts / blogs.

User specific API Key authentication

In default API Key authentication, only GET request can be made, if POST request is to be made, the user needs to be authenticated in WordPress and should have the capabilities to perform those actions. This is where User specific API Key authentication comes into play. Based on the capabilities of the user, he can perform the actions.

Sample Request
    Request: GET /wp-json/wp/v2/posts
    Header: Authorization : Bearer <token>

The Header is explained below.

  • Authorization : The HTTP Authorization request header contains the credentials or token type and token value to authenticate a user agent with a server, usually after unsuccessful authentication the server has responded with a 401 Unauthorized status.

  • Bearer <token-value> : The Bearer <token-value> is created by the Authentication server. When a client application request the authentication server then server authenticate that token and give response to client application accordingly.

  • cURL
  • Postman
curl -H "Authorization:Bearer <token-value>" -X GET http://<wp_base_url>/wp-json/wp/v2/posts 

Click here to download POSTMAN collection export

The server replies with the requested data as the members of a JSON object.

Success Response
Code Status Description
200 SUCCESS Example model:
[{
  "id":1,
  "guid":{
  "rendered":"http://<wp_base_url>/?p=1"
  },
  "slug":"hello-world",
  "status":"publish",
  "type":"post",
  "link":"http://<wp_base_url>/hello-world/",
  "title":{
  "rendered":"Hello World"
  },
  "content":{
  "rendered":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start writing!<\/p>",
  "protected":false
  },...
}]
Error Response
Code Error Description
401 INVALID_API_KEY You will get this error when you have put an invalid API Key or expired API Key.

Example Model:
{
  "status":"error",
  "error":"INVALID_API_KEY",
  "code":"401" ,
  "error_description":"Sorry, you are using invalid API Key."
}
401 MISSING_AUTHORIZATION_HEADER You will get this error whenever you don't send Header in the API request or It was removed by your server due to some reasons.

Example Model:
{
  "status":"error",
  "error":"MISSING_AUTHORIZATION_HEADER",
  "code":"401" ,
  "error_description":"Authorization header not received. Either authorization header was not sent or it was removed by your server due to security reasons."
}

NOTE - This error may occur because of server environment, your server may removed your Authorization header due to security reasons.

- If you are using Apache server then put the below line in your htaccess file after the RewriteBase.
  RewriteEngine On
  RewriteCond %{HTTP:Authorization} ^(.*)
  RewriteRule .*
- [e=HTTP_AUTHORIZATION:%1]

- If you are using NGINX server then put the below line in your conf file.
  add_header Access-Control-Allow-Headers "Authorization";
401 INVALID_AUTHORIZATION_HEADER_TOKEN_TYPE You will get this error whenever you send the Authorization header but in header you are sending the wrong token type.

Example Model:
{
  "status":"error",
  "error":"INVALID_AUTHORIZATION_HEADER_TOKEN_TYPE",
  "code":"401" ,
  "error_description":"Authorization header must be type of Bearer Token."
}