apply_filters( ‘rest_authentication_errors’, WP_Error|null|true $errors )

Filters REST API authentication errors.


This is used to pass a WP_Error from an authentication method back to the API.

Authentication methods should check first if they’re being used, as multiple authentication methods can be enabled on a site (cookies, HTTP basic auth, OAuth). If the authentication method hooked in is not actually being attempted, null should be returned to indicate another authentication method should check instead. Similarly, callbacks should ensure the value is null before checking for errors.

A WP_Error instance can be returned if an error occurs, and this should match the format used by API methods internally (that is, the status data should be used). A callback can return true to indicate that the authentication method was used, and it succeeded.


WP_Error if authentication error, null if authentication method wasn’t used, true if authentication succeeded.


return apply_filters( 'rest_authentication_errors', null );



User Contributed Notes

  1. Skip to note 2 content

    I needed to use this hook to fix a nonce expiration bug.

    My plugin uses the WP REST API to fetch data on the front-end. A longstanding issue has been that other caching plugins could sometimes cache this nonce, throwing a 403 error for my users.

    I used this solution:

    public function wpdocs_sanitize_nonce( $errors ) {
        // Bail if rest_route isn't defined (shouldn't happen!)
        if ( empty( $GLOBALS['wp']->query_vars['rest_route'] ) ) {
            return $errors;
        $route = ltrim( $GLOBALS['wp']->query_vars['rest_route'], '/' );
        // Ensure we're dealing with our REST request only
        if ( strpos( $route, 'shopwp/v1' ) !== 0 ) {
            return $errors;
        if ( ! empty( $_SERVER['HTTP_X_WP_NONCE'] ) ) {
            $nonce = $_SERVER['HTTP_X_WP_NONCE'];
            if ( ! wp_verify_nonce($nonce, 'wp_rest') ) {
                // Nonce check failed, so create a new one.
                $_SERVER['HTTP_X_WP_NONCE'] = wp_create_nonce( 'wp_rest' );
        return $errors;

You must log in before being able to contribute a note or feedback.