This document details changes to the WP REST API since its public release in version 4.7.0.

Version 5.6

  • Introduce Application Passwords for API authentication. r49109
  • Introduce Batch Requests. r49252
  • Support a route-level validation callback. r48945
  • Move Site Health async tests to the REST API. r49154
  • Add a hook to fire once a post, its terms and meta update. r49172
  • Introduce search term handler. r49103
  • Introduce search post format handler. r49132
  • Allow for string ids in the search controller. r49088
  • Support a broader range of JSON media types. r49329
  • Support the multipleOf JSON Schema keyword. r49063
  • Support the minProperties and maxProperties JSON Schema keywords. r49053
  • Support the patternProperties JSON Schema keyword. r49082
  • Support the anyOf and oneOf JSON Schema keywords. r49246
  • Make sure all supported JSON Schema keywords are output in the index. r49257
  • Add HTTP/1.1 emulation to wp.apiRequest. r49133
  • Include a JSON Accept header in wp.apiRequest. r49716
  • Don’t validate the post status if it hasn’t changed. r49302
  • Support generating comment up links to custom posts controllers. r49299

Version 5.5

  • Introduce Block Types endpoint. r48173
  • Introduce Plugins and Block Directory endpoints. r48242
  • Introduce Image Editor endpoint. r48291
  • Add additional fields to the Themes endpoint. r47921
  • Introduce register_theme_feature() API for use in the Themes endpoint. r48171
  • Allow POST requests to the Block Renderer endpoint. r47756
  • Register only a single Block Renderer endpoint shared by all block types. r48069
  • Add support for classic embeds to the oEmbed endpoint. r48135
  • Link to the REST route for the currently queried resource. r48273
  • Introduce support for default metadata values. r48402
  • Add the Link header to the list of exposed cors headers. 48112
  • Add Content-Disposition, Content-MD5 and X-WP-Nonce as allowed cors headers. r48452
  • Improve multi-type JSON Schema support. r48306
  • Only validate the format keyword if the type is a string. r48300
  • Support the uuid JSON Schema format. 47753
  • Support the hex-color JSON Schema format. r47450
  • Support the pattern JSON Schema keyword. r47810
  • Support the minItems, maxItems, and uniqueItems JSON Schema keywords. r47923 r48357
  • Support the minLength and maxLength JSON Schema keywords. r47627
  • Check required properties are provided when validating an object. r47809
  • Support more JSON Schemas when filtering a response by context. r47758
  • Handle parameter types consistently within WP_REST_Request::set_param(). r47559
  • Deprecate back-filling of the HTTP_RAW_POST_DATA global variable. r47926
  • Issue a _doing_it_wrong when registering a route without a permission_callback. r48526
  • Issue a _doing_it_wrong when using the wp_send_json() family of functions during a REST API request. r48361
  • Ensure rest_ensure_response() upgrades WP_HTTP_Response to WP_REST_Response. r47849
  • Only force the main query to be is_home() during a REST API request. r48053
  • Ensure all keywords supported by the JSON Schema validator are permitted by WP_REST_Controller::get_endpoint_args_for_item_schema(). r47911
  • Ensure deprecation notices are triggered when preloading REST API data. r48150
  • See REST API changes in WordPress 5.5 for further commentary.

Version 5.4

  • Introduce selective link embedding. r47224
  • Fix PHP warning in the comments controller if the commented-upon post type does not exist. [r47036](]
  • Add _doing_it_wrong warning when registering an “array” setting without an items schema. r47325
  • Correctly infer empty objects passed via query parameters. r47362
  • Add a “tax_relation” parameter to the posts collection. r46646
  • Allow meta to be set when creating a new media record via REST. r47261
  • Permit access to the themes controller if the user can edit any post type. r47361.
  • Add support for the REDIRECT_HTTP_AUTHORIZATION header. r47239
  • Add support for filtering the posts controller’s schema. r47265
  • Add _doing_it_wrong warning if a taxonomy’s specified rest_base is already in use by a different resource. r47037
  • Improve routing performance by matching REST API routes on namespace before performing regex checks. r47260
  • Don’t assume all item schemas have properties. r47328
  • Imrove performance by reusing previously-generated embedded objects when building collection response. r47138
  • List all core theme feature support details in /themes endpoint response. r47258
  • Fix links format in OPTIONS requests for non-variable routes. r47326
  • Apply all relevant block rendering filters when rendering block previews. r47360

Version 5.3

  • Cache results of get_item_schema on controller instances for performance. r45811
  • Permit embedding of the self link relation in the search endpoint. r46434
  • Pass null as the post date property to reset post to initial “floating” date value. r46249
  • Prevent deletion of post revisions. r45812
  • Do not send response body if status is 204 or body is null. r45809
  • Support object and array types in register_meta() schemas. r45807
  • Support dot.nested hierarchical properties in _fields query parameter. r46184
  • Return term resources in edit context after PUT or POST request. r46098
  • Introduce date_floating property on status endpoint response objects. r46252

Version 5.2

  • Fix undefined property notice when setting parent term to 0. r44965
  • Remove unused validate_user_can_query_private_statuses() attachments controller method. r44934
  • Ensure “Allow” header is returned for OPTIONS requests. r44933
  • Always pass query arguments through urlencode_deep() in get_items() methods to ensure they are encoded correctly. r45267

Version 5.1

  • Introduce rest_post_search_query filter to allow query arguments to be manipulated for a post search query. r44482
  • Allow changing of letter casing in user email addresses. r44641
  • Trigger a _doing_it_wrong() warning if register_rest_route() is called before the rest_api_init hook. r44568

Version 5.0

  • New Routes & Endpoints
    • Introduce wp/v2/search route implementing a new WP_REST_Search_Controller. Search types are handled by extending WP_REST_Search_Handler, and the active search type may be filtered using the wp_rest_search_handlers filter. #39965
    • Introduce wp/v2/blocks route to retrieve individual reusable blocks. Requires authentication. #45098
    • Introduce autosaves endpoints for all post types except attachment. Autosaves endpoints utilize the new WP_REST_Autosaves_Controller class, and saves only the id, title, post_content and excerpt for a post. Autosaves are enabled even for post types which do not support revisions. Requires authentication. #43316
    • Introduce wp/v2/block-renderer/<name> routes to return dynamically generated markup for server-rendered blocks. The name component of the URL is structured as namespace/block-id, e.g. core/archives. Requires authentication. #45098
    • Introduce wp/v2/themes endpoint to expose supported theme features to the block editor. This endpoint only returns data for the active theme. Requires authentication. #45016
    • Introduce wp/v2/types/wp_block endpoint to expose block labels and capabilities relating to the new hidden post type wp_block. #45098
  • Additional Changes
    • Custom taxonomies must specify show_in_rest as true to be visible in the block editor.
    • Introduce wp_is_json_request() function to detemine if request is expecting a JSON response, and contextually silence PHP warnings if so. r43730
    • Requests to public, viewable post types specifying the edit context now return two additional properties, permalink_temlate and generated_slug. r43720
    • Respect the ?_fields= filter when applying custom post properties with register_rest_field. r43736
    • Permit users with read_private_posts capability to query for private posts. r43694
    • Declare the unfiltered_html capability using JSON Hyper Schema targetSchema. r43682
    • Introduce block_version property on the post object to denote the presence and version of blocks within the post. r43770
    • Add new rest_after_* action hooks that fire after all write operations have completed. r42864
  • See The REST API in WordPress 5.0 for further commentary.

Version 4.9.8

  • Introduce ?_fields= global query parameter to limit the properties included in response objects to a specified subset. #38131
  • Add an object_subtype argument to the $args parameter for register_meta(): this parameter allows developers to specify the object subtypes (i.e. specific post types or taxonomies) for which the registered meta will appear when show_in_rest is true. Introduce new wrapper methods register_post_meta() and register_term_meta() which are recommended instead of register_meta when working with post or term meta. r43378

Version 4.8.1

  • Add a filter to allow modifying the response after embedded data is added. r41093
  • wp-api.js client: Correctly interpret settings resource as a model rather than a collection. r41126
  • Fix PUT (and other) requests for nginx servers by tweaking REST API URLs. r41140

Version 4.8.0

  • Improve strings added after 4.7.0 string freeze. r40571, r40606
  • Canonicalize header names in WP_REST_Request::remove_header(). r40577
  • Allow Origin: null from file: URLs. r40600
  • Set global $post variable when preparing revisions. r40601
  • Include featured_media in embed responses. r40602
  • Add author, modified, and parent sort order options for posts. r40605
  • Add endpoint for proxying requests to external oEmbed providers, and use it in the media modal instead of the parse-embed AJAX action.  This is the first usage of the WP REST API in wp-admin. r40628
  • Do not set X-WP-Deprecated* headers as often. r40782
  • Avoid sending blank Last-Modified headers with authenticated requests. r40805
  • Fix changing parameters with $request->set_param() for some requests. r40815
  • In the admin area, ensure the REST API endpoint URL is forced to https when necessary. r40843

Version 4.7.4

  • Fix another (DST-related) issue with dates of posts. r40325
  • Add gmt_offset and timezone_string to the base /wp-json response. r40336
  • Confirm that the parent post object of an attachment exists in WP_REST_Posts_Controller::check_read_permission(). r40337
  • Allow fetching multiple users and terms at once via the slug parameters of the respective endpoints. r40426, r40427

Version 4.7.3

  • Cast revision author ID to int. r40078
  • Correctly serve the index with PATH_INFO. r40079
  • Include the status property in view context responses from the Posts endpoints. r40081
  • wp-api.js client: Use _.extend instead of _.union when merging objects. r40084
  • To prepare for a full multisite implementation in 4.8, do not allow access to users from a different site. r40111
  • Correctly parse body parameters for DELETE requests. r40113
  • Fix multiple issues with dates of posts and comments. r40114, r40115
  • wp-api.js client: Fix route discovery for custom namespaces. r40117
  • Fix the behavior of the sticky posts filter when no posts are sticky. r40136
  • Allow setting all post formats even if they are not supported by the theme. r40137

Version 4.7.2

  • Unify object access handling for simplicity. r39957

Version 4.7.1

  • Treat any falsy value as false in 'rest_allow_anonymous_comments'. r39566
  • wp-api.js client: Fix setup of models used by wp.api.collections objects. r39604
  • Do not error on empty JSON body. r39609
  • Do not include the password argument for the GET /wp/v2/media endpoint. r39610
  • Allow sending empty or no-op comment updates. r39628
  • Add support for filename search in the GET /wp/v2/media endpoint. r39629
  • Fix PHP warnings when get_theme_support( 'post-formats' ) is not an array. r39630
  • Improve the rest_*_collection_params filter docs and fix the terms filter. r39631
  • Allow schema sanitization_callback to be set to null to bypass built-in sanitization. r39642
  • Change which users are shown in the users endpoint. r39844