docs/apis/rest-api/authentication.mdx
import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem';
WooCommerce includes two ways to authenticate with the WP REST API. It is also possible to authenticate using any WP REST API authentication plugin or method.
Pre-generated keys can be used to authenticate use of the REST API endpoints. New keys can be generated either through the WordPress admin interface or they can be auto-generated through an endpoint.
To create or manage keys for a specific WordPress user, go to WooCommerce > Settings > Advanced > REST API.
Note: Keys/Apps was found at WooCommerce > Settings > API > Key/Apps prior to WooCommerce 3.4.
Click the "Add Key" button. In the next screen, add a description and select the WordPress user you would like to generate the key for. Use of the REST API with the generated keys will conform to that user's WordPress roles and capabilities.
Choose the level of access for this REST API key, which can be Read access, Write access or Read/Write access. Then click the "Generate API Key" button and WooCommerce will generate REST API keys for the selected user.
Now that keys have been generated, you should see two new keys, a QRCode, and a Revoke API Key button. These two keys are your Consumer Key and Consumer Secret.
If the WordPress user associated with an API key is deleted, the API key will cease to function. API keys are not transferred to other users.
This endpoint can be used by any APP to allow users to generate API keys for your APP. This makes integration with WooCommerce API easier because the user only needs to grant access to your APP via a URL. After being redirected back to your APP, the API keys will be sent back in a separate POST request.
The following image illustrates how this works:
:::warning This endpoint works exclusively for users to generate API keys and facilitate integration between the WooCommerce REST API and an application. In no way is this endpoint intended to be used as login method for customers. :::
| Parameter | Type | Description |
|---|---|---|
app_name | string | Your APP name MANDATORY |
scope | string | Level of access. Available: read, write and read_write MANDATORY |
user_id | string | User ID in your APP. For your internal reference, used when the user is redirected back to your APP. NOT THE USER ID IN WOOCOMMERCE MANDATORY |
return_url | string | URL the user will be redirected to after authentication MANDATORY |
callback_url | string | URL that will receive the generated API key. Note: this URL should be over HTTPS MANDATORY |
You must use the /wc-auth/v1/authorize endpoint and pass the above parameters as a query string.
<Tabs> <TabItem value="curl" label="cURL">Example of how to build an authentication URL:
# Bash example
STORE_URL='http://example.com'
ENDPOINT='/wc-auth/v1/authorize'
PARAMS="app_name=My App Name&scope=read_write&user_id=123&return_url=http://app.com/return-page&callback_url=https://app.com/callback-endpoint"
QUERY_STRING="$(perl -MURI::Escape -e 'print uri_escape($ARGV[0]);' "$PARAMS")"
QUERY_STRING=$(echo $QUERY_STRING | sed -e "s/%20/\+/g" -e "s/%3D/\=/g" -e "s/%26/\&/g")
echo "$STORE_URL$ENDPOINT?$QUERY_STRING"
const querystring = require('querystring');
const store_url = 'http://example.com';
const endpoint = '/wc-auth/v1/authorize';
const params = {
app_name: 'My App Name',
scope: 'read_write',
user_id: 123,
return_url: 'http://app.com/return-page',
callback_url: 'https://app.com/callback-endpoint'
};
const query_string = querystring.stringify(params).replace(/%20/g, '+');
console.log(store_url + endpoint + '?' + query_string);
<?php
$store_url = 'http://example.com';
$endpoint = '/wc-auth/v1/authorize';
$params = [
'app_name' => 'My App Name',
'scope' => 'write',
'user_id' => 123,
'return_url' => 'http://app.com',
'callback_url' => 'https://app.com'
];
$query_string = http_build_query( $params );
echo $store_url . $endpoint . '?' . $query_string;
?>
from urllib.parse import urlencode
store_url = 'http://example.com'
endpoint = '/wc-auth/v1/authorize'
params = {
"app_name": "My App Name",
"scope": "read_write",
"user_id": 123,
"return_url": "http://app.com/return-page",
"callback_url": "https://app.com/callback-endpoint"
}
query_string = urlencode(params)
print("%s%s?%s" % (store_url, endpoint, query_string))
require "uri"
store_url = 'http://example.com'
endpoint = '/wc-auth/v1/authorize'
params = {
app_name: "My App Name",
scope: "read_write",
user_id: 123,
return_url: "http://app.com/return-page",
callback_url: "https://app.com/callback-endpoint"
}
query_string = URI.encode_www_form(params)
puts "#{store_url}#{endpoint}?#{query_string}"
Example of JSON posted with the API Keys
{
"key_id": 1,
"user_id": 123,
"consumer_key": "ck_xxxxxxxxxxxxxxxx",
"consumer_secret": "cs_xxxxxxxxxxxxxxxx",
"key_permissions": "read_write"
}
Example of the screen that the user will see:
return_url, you are also sent success and user_id parameters as query strings.success sends 0 if the user denied, or 1 if authenticated successfully.user_id to identify the user when redirected back to the (return_url) and also remember to save the API Keys when your callback_url is posted to after auth.callback_url, so it's important to remember that some languages such as PHP will not display it inside the $_POST global variable, in PHP you can access it using $HTTP_RAW_POST_DATA (for old PHP versions) or file_get_contents('php://input');.You may use HTTP Basic Auth by providing the REST API Consumer Key as the username and the REST API Consumer Secret as the password.
<Tabs> <TabItem value="curl" label="cURL">HTTP Basic Auth example
curl https://www.example.com/wp-json/wc/v3/orders \
-u consumer_key:consumer_secret
const WooCommerceRestApi = require("@woocommerce/woocommerce-rest-api").default;
// import WooCommerceRestApi from "@woocommerce/woocommerce-rest-api"; // Supports ESM
const WooCommerce = new WooCommerceRestApi({
url: 'https://example.com',
consumerKey: 'consumer_key',
consumerSecret: 'consumer_secret',
version: 'wc/v3'
});
<?php
require __DIR__ . '/vendor/autoload.php';
use Automattic\WooCommerce\Client;
$woocommerce = new Client(
'https://example.com',
'consumer_key',
'consumer_secret',
[
'wp_api' => true,
'version' => 'wc/v3'
]
);
?>
from woocommerce import API
wcapi = API(
url="https://example.com",
consumer_key="consumer_key",
consumer_secret="consumer_secret",
wp_api=True,
version="wc/v3"
)
require "woocommerce_api"
woocommerce = WooCommerce::API.new(
"https://example.com",
"consumer_key",
"consumer_secret",
{
wp_json: true,
version: "wc/v3"
}
)
Occasionally some servers may not parse the Authorization header correctly (if you see a "Consumer key is missing" error when authenticating over SSL, you have a server issue). In this case, you may provide the consumer key/secret as query string parameters instead.
<Tabs> <TabItem value="curl" label="cURL">Example for servers that not properly parse the Authorization header:
curl https://www.example.com/wp-json/wc/v3/orders?consumer_key=123&consumer_secret=abc
const WooCommerceRestApi = require("@woocommerce/woocommerce-rest-api").default;
// import WooCommerceRestApi from "@woocommerce/woocommerce-rest-api"; // Supports ESM
const WooCommerce = new WooCommerceRestApi({
url: 'https://example.com',
consumerKey: 'consumer_key',
consumerSecret: 'consumer_secret',
version: 'wc/v3',
queryStringAuth: true // Force Basic Authentication as query string true and using under HTTPS
});
<?php
require __DIR__ . '/vendor/autoload.php';
use Automattic\WooCommerce\Client;
$woocommerce = new Client(
'https://example.com',
'consumer_key',
'consumer_secret',
[
'wp_api' => true,
'version' => 'wc/v3',
'query_string_auth' => true // Force Basic Authentication as query string true and using under HTTPS
]
);
?>
from woocommerce import API
wcapi = API(
url="https://example.com",
consumer_key="consumer_key",
consumer_secret="consumer_secret",
wp_api=True,
version="wc/v3",
query_string_auth=True # Force Basic Authentication as query string true and using under HTTPS
)
require "woocommerce_api"
woocommerce = WooCommerce::API.new(
"https://example.com",
"consumer_key",
"consumer_secret",
{
wp_json: true,
version: "wc/v3",
query_string_auth: true # Force Basic Authentication as query string true and using under HTTPS
}
)
You must use OAuth 1.0a "one-legged" authentication to ensure REST API credentials cannot be intercepted by an attacker. Typically you will use any standard OAuth 1.0a library in the language of your choice to handle the authentication, or generate the necessary parameters by following the following instructions.
First you need to determine the HTTP method you will be using for the request, and the URL of the request.
The HTTP method will be GET in our case.
The Request URL will be the endpoint you are posting to, e.g. http://www.example.com/wp-json/wc/v3/orders.
Collect and normalize your parameters. This includes all oauth_* parameters except for the oauth_signature itself.
These values need to be encoded into a single string which will be used later on. The process to build the string is very specific:
= character to the output string.& character to the output string.When percent encoding in PHP for example, you would use rawurlencode().
When sorting parameters in PHP for example, you would use uksort( $params, 'strcmp' ).
Parameters example:
oauth_consumer_key=abc123&oauth_signature_method=HMAC-SHA1
The above values collected so far must be joined to make a single string, from which the signature will be generated. This is called the signature base string in the OAuth specification.
To encode the HTTP method, request URL, and parameter string into a single string:
& character to the output string.& character to the output string.Example signature base string:
GET&http%3A%2F%2Fwww.example.com%2Fwp-json%2Fwc%2Fv3%2Forders&oauth_consumer_key%3Dabc123%26oauth_signature_method%3DHMAC-SHA1
Generate the signature using the signature base string and your consumer secret key with a & character with the HMAC-SHA1 hashing algorithm.
In PHP you can use the hash_hmac function.
HMAC-SHA1 or HMAC-SHA256 are the only accepted hash algorithms.
If you are having trouble generating a correct signature, you'll want to review the string you are signing for encoding errors. The authentication source can also be helpful in understanding how to properly generate the signature.
oauth_consumer_key, oauth_timestamp, oauth_nonce, oauth_signature, and oauth_signature_method. oauth_version is not required and should be omitted.www sub-domain, you should use it for requests)