ClassicPress PetitionsClassicPress Petitions
This is a read-only archive. Post or comment on the live version of this page on our forums.

REST-API authentication option

September 7, 2018 · 15:13 · Dora D.

Add option to expose REST-API only to authenticated users, maybe limited to a certain capability.

+55 more
Difficulty: Easy
Request: Modify feature

Like I have already suggested with a REST API security key.

Daniele Scasciafratte

There is the OAUth official plugin for rest api that wasn't integrate because require a new version of php. So maybe when we will do that bump we can have that integration.

David Shanske

I have written an IndieAuth, which is an OAuth variant plugin for WordPress. Would you consider that? It is also not written with a higher version requirement.


I read a blog or comment somewhere about how disabling non-auth access to the REST API prevented a plugin from working properly which, in turn, led to a debugging nightmare for the site owner. Maybe Contact Form 7...can't recall for sure... but this might be a consideration.

James Nylen

Thanks John, this is a good example of the kind of thing we'd need to investigate & understand before doing this.

Antti Koskinen

John is right, Contact Form 7 breaks if you disable the REST-API. It was a real headache to figure it out when I first encountered the problem. On the (WP) sites where REST-API is not neede I usually use "Disable REST API" plugin, which also provides a handy whitelisting feature to for example make CF7 work again.

Brett VanSprewenburg

Which API end point needs to be whitelist re-enabled for CF7? I am asking in case I run across this situation in the future. Thanks.

Antti Koskinen

Brett, I haven't looked at the "Disable REST API" plugin's code and how it handles the whitelisting so I'm afraid I don't know that. The plugin's whitelisting feature is just a settings page with a list of every plugin using the REST-API. You can then just tick the checkboxes for the plugins that should be able to access the API.


If you are developing a site that is not using the REST API, is it better to disable rest api for security or performance?