Connecting your WordPress site to external applications has never been easier—and it all starts with the WordPress REST API. Whether you’re building a mobile app, integrating with third-party services, or creating a custom dashboard, understanding how to access and authenticate with WordPress REST API is essential.
Here’s the good news: WordPress REST API is built right into WordPress (version 4.7+), so you already have it. But securing it properly? That’s where API keys and authentication come in.
What You Need to Know First
The WordPress REST API doesn’t use traditional “API keys” like many other platforms. Instead, it uses application passwords or authentication plugins. Think of these as secure credentials that let external applications talk to your WordPress site safely.
Method 1: Application Passwords (The Official Way)
Best for: WordPress 5.6+ users who want the native, secure solution
Step-by-Step Setup
1. Access Your User Profile
- Log into your WordPress dashboard
- Navigate to Users → Profile (or Users → All Users and select your user)
- Scroll down to the “Application Passwords” section
2. Create Your Application Password
- In the “New Application Password Name” field, enter a descriptive name (like “Mobile App” or “CRM Integration”)
- Click Add New Application Password
- WordPress generates a unique password immediately
3. Save Your Credentials Securely
- Copy the generated password right away—you won’t see it again!
- Store it in a password manager or secure location
- You’ll use your WordPress username + this application password for authentication
How to Use It
When making REST API requests, use Basic Authentication:
- Username: Your WordPress username
- Password: The application password you just created
- Endpoint:
https://yoursite.com/wp-json/wp/v2/
Pro Tip: Application passwords only work over HTTPS. Make sure your site has an SSL certificate installed.
Method 2: JWT Authentication Plugin (For Developers)
Best for: Custom applications requiring token-based authentication
Why Choose JWT?
JSON Web Tokens (JWT) offer stateless authentication—perfect for modern applications. Instead of sending credentials with every request, you get a temporary token after logging in once.
Quick Setup
1. Install the Plugin
- Download JWT Authentication for WP REST API
- Upload and activate via Plugins → Add New
2. Configure Your .htaccess Add these lines to enable authentication headers:
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]3. Add Secret Key to wp-config.php
php
define('JWT_AUTH_SECRET_KEY', 'your-secret-key-here');
define('JWT_AUTH_CORS_ENABLE', true);4. Get Your Token Send a POST request to /wp-json/jwt-auth/v1/token with your username and password to receive your JWT token.
Method 3: OAuth Authentication (Enterprise Grade)
Best for: Third-party integrations and public-facing applications
OAuth is the gold standard for secure API access. It’s the same technology used by Google, Facebook, and Twitter for their APIs.
Setup Process
1. Install OAuth Plugin
- Use WP OAuth Server or miniOrange OAuth Server
- Navigate to Settings → OAuth Server
2. Create Client Credentials
- Click “Add Client”
- Fill in your application name and redirect URI
- Save your Client ID and Client Secret
3. Configure Grant Types Select which authentication flows you need:
- Authorization Code (most secure for web apps)
- Client Credentials (for server-to-server)
- Password Grant (for trusted applications)
Testing Your API Access
Once you’ve set up authentication, test it immediately:
Using cURL (Command Line)
bash
curl --user "username:application_password" https://yoursite.com/wp-json/wp/v2/postsUsing Postman (Visual Interface)
- Create a new GET request to
https://yoursite.com/wp-json/wp/v2/posts - Go to the Authorization tab
- Select “Basic Auth”
- Enter your credentials
- Click Send
Success looks like: A JSON response with your WordPress posts.
Security Best Practices You Can’t Ignore
✓ Always use HTTPS – Never send credentials over HTTP ✓ Limit permissions – Create user accounts with only necessary privileges ✓ Rotate credentials regularly – Change application passwords every 90 days ✓ Monitor API usage – Install plugins like WP Activity Log to track API calls ✓ Revoke unused passwords – Delete application passwords you’re no longer using
Common Issues and Quick Fixes
“Authentication failed” errors?
- Verify you’re using the correct username (not email)
- Check that the application password has no spaces
- Confirm your site is using HTTPS
Can’t find Application Passwords section?
- Update to WordPress 5.6 or higher
- Ensure your site uses HTTPS
- Check if a security plugin is hiding it
Getting “REST API disabled” messages?
- Go to Settings → Permalinks and click Save (refreshes rewrite rules)
- Check if a security plugin has disabled the REST API
- Verify your .htaccess file isn’t blocking API requests
What Can You Do With WordPress REST API?
The possibilities are endless once you have access:
- Create mobile apps that manage your WordPress content
- Build custom dashboards for clients or team members
- Automate content publishing from external systems
- Integrate with CRMs like Salesforce or HubSpot
- Sync data between WordPress and other platforms
- Create headless WordPress setups with React, Vue, or Next.js
Ready to Connect?
Getting WordPress REST API access isn’t complicated—it just requires the right approach. Whether you choose application passwords for simplicity, JWT for flexibility, or OAuth for enterprise-grade security, you’re now equipped to make the right choice.
Start with Application Passwords if you’re new to APIs. It’s built-in, secure, and works immediately. You can always upgrade to JWT or OAuth as your needs grow.
The WordPress REST API opens up a world of possibilities for extending your site beyond its traditional boundaries. What will you build with it?
Need help implementing WordPress REST API in your project? Our team specializes in WordPress integrations and custom API solutions. Get in touch today.