Secure API

Hi @bassimbg,

The endpoint wp-json/wc/v3/orders with a GET request retrieves a list of all orders on your site but we would not expect this to be accessible to all users since it requires authentication using the REST API Consumer Key as the username and the REST API Consumer Secret as the password.

I would suggest removing the actual keys and generating new API keys. This section explains how it can be done.

https://woocommerce.com/document/woocommerce-rest-api/#section-2

If you’re authenticating over HTTP use OAuth 1.0a “one-legged” authentication instead of Basic Auth to ensure REST API credentials cannot be intercepted by an attacker. There are more details on authentication methods here:

https://woocommerce.github.io/woocommerce-rest-api-docs/#authentication

Hello, I am using the API as mentioned in the above links, I created Customer key and customer secret with read or read/write, how where to tell Woocommerce not to share data unless it uses authentication? Now I am using third party plugin, but this is not logical, it should be in the Woocommerce plugin.

It is hard to delete the keys because I am using mobile App and I am afraid to lose communication.

Woocommerce must not provide data unless we use customer key and customer secret ONLY.

Thank you,

Hi there,

Thanks for getting back to us.

I just tried to replicate this issue on my end, and I can see wp-json/wc/v3/orders endpoint isn’t available without authentication.

It could be due to some third-party plugin or customization you have on the site. Can you please try to set up a staging website, de-activate all the plugins except WooCommerce, switch to a default theme like Storefront, and see if you are able to replicate this issue?

Let me know how it goes!

Best,

It’s been a while since we heard from you, so I’m marking this thread resolved. Hopefully, you’ve been able to resolve this, but if you haven’t, please open up a new topic and we’ll be happy to help out.