A REST API defines a set of functions which developers can perform requests such as GET, POST, PUT, PATCH, DELETE and receive responses via HTTP protocol. For example, when a client application calls Facebook API to fetch a specific user (the resource), the API will return the state of that user, including their name, the number of posts that user posted on Facebook so far, how many followers they have, and more.
Authentication methods we support are:
API Key Authentication
Third Party Provider Authentication
Here we are going to describes each of above methods with their appropriate use cases and snippet codes.
API Key Authentication
If you want to protect your WordPress REST APIs (eg. post, pages and other REST APIs) from unauthenticated users but you don’t want to share users login credentials or client id, secret to authenticate the REST API, then you can use API Key authentication, which will generate a random authentication key for you. Using this key, you can authenticate any WordPress REST API on your site.
Suppose you have one Android/IOS Blog Application and you have already posted all your blogs on the WordPress. Now you can get all the posts/blogs from the WordPress REST APIs but it is publicly accessible. So, whenever you want to protect your GET requests from the public users you should use API Key Authentication Method.
You can read more about API Key Authentication Here
If you want to protect your WP REST APIs (eg. post, pages and other REST APIs) with users login credentials or client-id:client-secret, then you can opt for this method. It is recommended that you should use this method on HTTPS or secure socket layer.
Suppose you have one Android/IOS Blog Application and you have given capabilites to your users to post their personal feeds or blogs using mobile application. In this case your mobile application requests should be authenticated. Basic Authentication with username and password method appropriate for this situation where your users will be in Header. It will authenticate the user's request and assign blogs to them respectively.
Suppose you have one Android/IOS Blog Application and you want to sign up new users from the client application. Now, In this case you can use Basic Authentication with username:password but you don't want to send admin user into your header and at each request there will be two users present. First one Admin user (In header) and the another one new user which is going to create. In that case you should use Basic Authentication with client ID and client secret where your admin user is also safe and at each request you don't have to put two users.
If you want to protect your WP REST APIs (eg. post, pages and other REST APIs) with JWT Token, then you can opt for this method. It is recommended that you should use this method on HTTPS or secure socket layer.
If you are looking for protecting your REST APIs using the access-token/jwt token and at the same time you do not have any third party provider/identity provider, then you should go for OAuth 2.0 Authentication method.In this scenario, our WordPress REST API Authentication works as both OAuth Server and API Authenticator to protect your REST APIs.
If you really concern about the security and looking for a way where your Header's Token is valid for some time and It requires new token for the next request. You should go for the OAuth 2.0 Authentication method. In which suppose a hacker able to get your token but you don't have to worry it will be valid for some time he can't do anything for long.
If you are looking for protecting/restricting access to your WP REST APIs using your OAuth Provider/Identity provider, then you should go for Third Party Provider Authentication method.
Suppose you have one Android/IOS Blog Application and you are using login with Facebook and Google. Now you don't want to authenticate them again to make an API request in that case you can use the Access Token or ID Token which is provided by Facebook or Google to authenticate WordPress REST APIs.
You can read more about Third Party Provider Authentication Here