docs/apis/store-api/nonce-tokens.md
Nonces are generated numbers used to verify origin and intent of requests for security purposes. You can read more about nonces in the WordPress codex.
POST requests to the /cart endpoints and all requests to the /checkout endpoints require a nonce to function. Failure to provide a valid nonce will return an error response, unless you're using Cart Tokens instead.
Nonce tokens are included with the request headers. Create a request header named Nonce. This will be validated by the API.
Example:
curl --header "Nonce: 12345" --request GET https://example-store.com/wp-json/wc/store/v1/checkout
After making a successful request, an updated Nonce header will be sent back--this needs to be stored and updated by the client to make subsequent requests.
Nonces must be created using the wp_create_nonce function with the key wc_store_api.
wp_create_nonce( 'wc_store_api' )
There is no other mechanism in place for creating nonces.
If you want to test REST endpoints without providing a nonce, you can use the following filter:
add_filter( 'woocommerce_store_api_disable_nonce_check', '__return_true' );
Nonce checks will be bypassed if woocommerce_store_api_disable_nonce_check evaluates to true.
NOTE: This should only be done on development sites where security is not important. Do not enable this in production.