Note: This post is a deeper dive into what I learned at the Day of REST Event in Boston. You may want to start with my summary post, here.
Joe Hoyle introduced the subject… the WordPress API. It was a high level flyover that would set the table for day-long consideration of the new WordPress REST API. Nothing fancy, yet the opportunities are so profound.
Joe touched on some options in the API as well as authentication.
The WordPress API current supports endpoints for the following objects:
I created a Postman Collection of a few sample calls to give you an idea at what we can do. It’s really basic at this time but I’ll work to refine / improve it over time.
Joe also talked about Authentication and did a brief flyover for us. Joe offered a workshop the day before diving in deep on Authentication. Shane Denham of Covenant Eyes was able to attend that workshop.
The authentication methods are as follows:
- Cookie — Used when the consumer of the API is on the same site and thus has access to the cookies associated with the WordPress Admin. In other words, if the user is logged into WordPress then they will enjoy the same level of access through the API, automatically.
- Basic Auth — Essentially .htaccess auth. Not secure because it is plain text based. Usage example: curl -uadmin:password demo.wordpress-api.net…. Acceptable for development and internal server-to-server access.
- oAuth 1.0 — Recommended. Functions similar to Facebook Login or Google Login. Flow of exchanged app keys resulting in an access token. oAuth1.wp-api.org was offered as an excellent overview of oAuth 1.0 and especially as it relates to WordPress. Note: oAuth 2.0 was not encouraged because it requires HTTS and only 20% of WordPress sites are using HTTPS at present. oAuth 2.0 is an option if we know HTTPS is available.
- Brokered Authentication — An extension of oAuth 1.0 providing for a centralized storehouse for API Keys. WordPress, unlike Google and FB, is not centralized. This approach is a tactic to overcome this limitation.
- Backbone.js — CORE Client accessed by including wp-api.
- WordPress-rest-api-oauth-1 — Joe wrote this to support oAuth 1 (Which is apparently not supported by Backbone)
- wpapi (NodeJS)
Seadog’s Take: Joe offered a pretty decent high level overview of the WordPress REST API. Nothing revolutionary but an essential foundation to establish the rest of the day’s conversation.