WP rest api endpoints

  • I am writing a WordPress plugin that uses the wp rest api. I put it on my site with https. Now if I enter a url with wp rest api endpoints (for example https://…com/wp-json/paypal-payment/v1/accountid) into the browser I get the desired value.
    Is it normal? Anyone can get this value.
    I found this section “Basic Authentication with Application Passwords” – but it seems to be for applications, not plugins.
    I want to know if it’s ok for anyone to enter the path to wp rest api endpoints and get the result?
    Of course, no one seems to know these endpoints, but everything is somehow strange.

    • This topic was modified 1 year, 6 months ago by vrpr.
Viewing 4 replies - 1 through 4 (of 4 total)

  • Have you checked permission_callback parameter – https://developer.www.ads-software.com/rest-api/extending-the-rest-api/routes-and-endpoints/#permissions-callback

    Thread Starter vrpr

    (@vrpr)

    Thanks for answer. No, i did not know about permission_callback. I must read about it.

    Moderator bcworkz

    (@bcworkz)

    it seems to be for applications, not plugins.

    That’s the intention, but it’s not a requirement. Plugins can use app passwords as well if they need authentication for an API request. Plugins typically have access to all WP resources, so unlike apps, they needn’t use the API at all. However API calls can sometimes be convenient despite access to alternatives.

    it’s ok for anyone to enter the path to wp rest api endpoints and get the result?

    It depends on what API data was requested. /paypal-payment/ is not a core API route, so managing access to data is up to the route’s developer. I’d think not anyone should be able to get payment data, but I did not develop the API route. It’s quite possibly an oversight you’d want to point out to the route’s developers.

    Generally speaking, we can use the ‘rest_pre_echo_response’ filter hook to remove data that we do not want in a public response. While effective, it’s kind of a “band-aid” solution. It’s better the data was never in the response to start with.

    Thread Starter vrpr

    (@vrpr)

    Thanks for answer. I write plugin that will add paypal button on pages therefore i think it is not good if anybody can get data. I will try filter.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘WP rest api endpoints’ is closed to new replies.