WordPress REST API is a powerful feature that allows developers to interact with WordPress data using HTTP requests. It enables seamless integration with external applications, mobile apps, and custom front-end frameworks like React and Vue.js. In this guide, we will explore how the REST API works internally, how to create custom endpoints, and how to secure API requests with authentication.

How WordPress REST API Works Internally

WordPress REST API is built on top of standard HTTP methods (GET, POST, PUT, DELETE) and JSON responses. Internally, it consists of the following key components:

1. Routes and Endpoints

WordPress registers various default routes that correspond to built-in post types, users, comments, and other entities. These routes follow a standard structure:

/wp-json/wp/v2/{resource}

For example:

• GET /wp-json/wp/v2/posts - Fetches all posts

• GET /wp-json/wp/v2/users - Retrieves all users

• POST /wp-json/wp/v2/posts - Creates a new post (requires authentication)

2. Controller Classes

Each API endpoint is managed by a controller class. These classes handle:

• Request validation

• Data retrieval and formatting

• Authorization and capability checks

For example, WP_REST_Posts_Controller handles requests related to posts.

3. Schema and Data Formatting

WordPress REST API ensures consistent data structures using JSON Schema. It helps validate request parameters and structure API responses.

Creating Custom Endpoints in WordPress REST API

WordPress allows developers to register custom API endpoints using register_rest_route(). This is useful when you need to create custom data responses or extend WordPress functionalities.

Step 1: Register a Custom Endpoint

To add a new REST API route, add the following code in your theme’s functions.php file or in a custom plugin:

function register_custom_endpoint() {
    register_rest_route('custom/v1', '/data/', array(
        'methods'  => 'GET',
        'callback' => 'custom_api_callback',
        'permission_callback' => '__return_true', // Change this for security
    ));
}
add_action('rest_api_init', 'register_custom_endpoint');

function custom_api_callback() {
    return new WP_REST_Response(array(
        'message' => 'Hello, this is custom API data!',
    ), 200);
}

Step 2: Testing the API Endpoint

Once registered, you can test your endpoint by visiting:

http://yoursite.com/wp-json/custom/v1/data/

You should receive a JSON response:

{
    "message": "Hello, this is custom API data!"
}

Step 3: Adding Parameters and Dynamic Routes

You can allow parameters in your custom API route. Here’s an example of an endpoint that retrieves post details by ID:

function custom_post_endpoint($request) {
    $post_id = $request['id'];
    $post = get_post($post_id);
    
    if (empty($post)) {
        return new WP_Error('no_post', 'Invalid Post ID', array('status' => 404));
    }
    
    return rest_ensure_response($post);
}

function register_custom_post_endpoint() {
    register_rest_route('custom/v1', '/post/(?P<id>\d+)', array(
        'methods' => 'GET',
        'callback' => 'custom_post_endpoint',
        'args' => array(
            'id' => array(
                'validate_callback' => function($param) {
                    return is_numeric($param);
                }
            )
        )
    ));
}
add_action('rest_api_init', 'register_custom_post_endpoint');

Now, requesting /wp-json/custom/v1/post/1 will return post data for the given ID.

Securing REST API Requests with Authentication

Since the REST API exposes WordPress data, security is crucial. WordPress provides multiple authentication methods:

1. Cookie-Based Authentication (For Logged-in Users)

• When logged into WordPress, API requests inherit the user’s permissions automatically.

• Best for internal requests within the same WordPress installation.

2. Application Passwords (Recommended)

• WordPress supports application passwords for authenticating REST API requests.

• To enable, go to Users > Your Profile > Application Passwords.

• Use Basic Auth with username and application password.

Example API request:

curl -u username:application_password -X GET "https://yoursite.com/wp-json/wp/v2/posts"

3. JWT (JSON Web Token) Authentication

JWT provides a secure way to authenticate API requests. Steps to implement:

Step 1: Install JWT Authentication Plugin

You need a plugin like JWT Authentication for WP REST API.

Step 2: Configure JWT in wp-config.php

define('JWT_AUTH_SECRET_KEY', 'your_secret_key_here');
define('JWT_AUTH_CORS_ENABLE', true);

Step 3: Generate JWT Token

Make a POST request to get the token:

curl -X POST -d "username=admin&password=yourpassword" "https://yoursite.com/wp-json/jwt-auth/v1/token"

Response:

{
    "token": "your_generated_token_here"
}

Step 4: Authenticate API Requests with Token

Use the generated token in requests:

curl -X GET -H "Authorization: Bearer your_generated_token_here" "https://yoursite.com/wp-json/wp/v2/posts"

This ensures secure access to the API without exposing user credentials.