Title: Authentication Author: Drew Jaynes Published: November 8, 2016 Last modified: June 4, 2025 --- # Authentication ## In this article * [Cookie Authentication](https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/?authuser=0&output_format=md#cookie-authentication) * [Basic Authentication with Application Passwords](https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/?authuser=0&output_format=md#basic-authentication-with-application-passwords) * [Authentication Plugins](https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/?authuser=0&output_format=md#authentication-plugins) [ Back to top](https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/?authuser=0&output_format=md#wp--skip-link--target) ## 󠀁[Cookie Authentication](https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/?authuser=0&output_format=md#cookie-authentication)󠁿 Cookie authentication is the standard authentication method included with WordPress. When you log in to your dashboard, this sets up the cookies correctly for you, so plugin and theme developers need only to have a logged-in user. However, the REST API includes a technique called [nonces](https://developer.wordpress.org/apis/security/nonces/) to avoid [CSRF](http://en.wikipedia.org/wiki/Cross-site_request_forgery) issues. This prevents other sites from forcing you to perform actions without explicitly intending to do so. This requires slightly special handling for the API. For developers using the built-in Javascript API, this is handled automatically for you. This is the recommended way to use the API for plugins and themes. Custom data models can extend `wp.api.models.Base` to ensure this is sent correctly for any custom requests. For developers making manual Ajax requests, the nonce will need to be passed with each request. The API uses nonces with the action set to `wp_rest`. These can then be passed to the API via the `_wpnonce` data parameter (either POST data or in the query for GET requests), or via the `X-WP-Nonce` header. If no nonce is provided the API will set the current user to 0, turning the request into an **unauthenticated request**, even if you’re logged into WordPress. Note: Until recently, most software had spotty support for `DELETE` requests. For instance, PHP doesn’t transform the request body of a `DELETE` request into a super global. As such, supplying the nonce as a header is the most reliable approach. It is important to keep in mind that this authentication method relies on WordPress cookies. As a result this method is only applicable when the REST API is used inside of WordPress and the current user is logged in. In addition, the current user must have the appropriate capability to perform the action being performed. As an example, this is how the built-in Javascript client creates the nonce: ```php esc_url_raw( rest_url() ), 'nonce' => wp_create_nonce( 'wp_rest' ) ) ); ``` This is then used in the base model: ```javascript options.beforeSend = function(xhr) { xhr.setRequestHeader('X-WP-Nonce', wpApiSettings.nonce); if (beforeSend) { return beforeSend.apply(this, arguments); } }; ``` Here is an example of editing the title of a post, using jQuery AJAX: ```javascript $.ajax( { url: wpApiSettings.root + 'wp/v2/posts/1', method: 'POST', beforeSend: function ( xhr ) { xhr.setRequestHeader( 'X-WP-Nonce', wpApiSettings.nonce ); }, data:{ 'title' : 'Hello Moon' } } ).done( function ( response ) { console.log( response ); } ); ``` Note that you do not need to verify that the nonce is valid inside your custom end point. This is automatically done for you in `rest_cookie_check_errors()`. ## 󠀁[Basic Authentication with Application Passwords](https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/?authuser=0&output_format=md#basic-authentication-with-application-passwords)󠁿 As of 5.6, WordPress has shipped with [Application Passwords](https://make.wordpress.org/core/2020/11/05/application-passwords-integration-guide/), which can be generated from an Edit User page (wp-admin -> Users -> Edit User). The credentials can be passed along to REST API requests served over https:// using [Basic Auth](https://ec.haxx.se/libcurl-http/auth.html#basic) / [RFC 7617](https://tools.ietf.org/html/rfc7617)— [here’s the documentation for how to use it with cURL](https://ec.haxx.se/http/auth.html). For a simple command-line script example, just swap out USERNAME, PASSWORD, and HOSTNAME in this with their respective values: ``` curl --user "USERNAME:PASSWORD" https://HOSTNAME/wp-json/wp/v2/users?context=edit ``` ## 󠀁[Authentication Plugins](https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/?authuser=0&output_format=md#authentication-plugins)󠁿 Plugins may be added to support alternative modes of authentication that will work from remote applications. Some example plugins are [OAuth 1.0a Server](https://wordpress.org/plugins/rest-api-oauth1/) and [JSON Web Tokens](https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/). There’s also a [Basic Authentication](https://github.com/WP-API/Basic-Auth) plugin. Note that this plugin requires sending your username and password with every request, and should only be used for development and testing i.e. not in a production environment. Using Application Passwords (see above) is preferred. First published November 8, 2016 Last updated June 4, 2025 Edit article [ Improve it on GitHub: Authentication ](https://github.com/WP-API/docs/edit/master/using-the-rest-api/authentication.md) Changelog [ See list of changes: Authentication ](https://github.com/WP-API/docs/commits/master/using-the-rest-api/authentication.md) [ Previous: Using the REST API](https://developer.wordpress.org/rest-api/using-the-rest-api/) [ Next: Backbone JavaScript Client](https://developer.wordpress.org/rest-api/using-the-rest-api/backbone-javascript-client/)