Yep that’s how it works – the next step is logging in – no doubt it’s easy when you know how but I didn’t know where to start and couldn’t even find a hint in the right direction. I wasted hours writing my own oAuth plugin too!
*IF* it’s OK for the updating site/app to know the username and password for the site exposing the API (i.e. you own both of them as in my cases) then JSON Web Tokens are quick, easy and work reliably.
On the site to be accessed…..
Install JWT Authentication for WP-API by Enrique Chavez
Add the following to .htaccess
# BEGIN JWT Authentication for WP-API
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) – [E=HTTP_AUTHORIZATION:%1]
SetEnvIf Authorization “(.*)” HTTP_AUTHORIZATION=$1
# END JWT Authentication for WP-API
Add the following to config.php
# BEGIN JWT Authentication for WP-API
define(‘JWT_AUTH_SECRET_KEY’, ‘your-top-secret-key’);
define(‘JWT_AUTH_CORS_ENABLE’, true);
# END JWT Authentication for WP-API
Activate the plugin
On the site / app that will do the accessing you can now request a JWT via a new endpoint the plugin creates BUT this app will need to be in possession of the WP username and password. Now just send the token in the headers with of every request as a bearer token and it just works. You can configure the timeout of the tokens from seconds to years. There is also a way to revoke tokens but honestly that’s still on my todo list.
I’m no security expert so do your own research but for my situation this saved the day – I have yet to find any other method of accessing the API that I could get to work.
Last tip is don’t even think about coding up anything until you’ve already seen it work in Postman – it’s so much quicker to trial and error using the app – saves hours.
