The WordPress REST API transformed the CMS into a headless platform. In 2026, it powers most decoupled architectures, mobile apps, Vue.js/React dashboards, and SaaS integrations.
Yet many use it without understanding the underlying mechanisms: authentication, permission callbacks, pagination, caching, rate limiting. That ends in exposed endpoints without controls, N+1 queries, and security vulnerabilities.
This guide covers everything you need to master the WordPress REST API in 2026 — from native endpoints to custom route creation, JWT authentication, and the WooCommerce API.
Create a free Volade account
Unlock this article's member resources and the full Volade pack.
No credit card · Public checklists stay free.
Native API REST endpoints
Main resources
| Endpoint | Resource | Methods |
|---|---|---|
/wp/v2/posts | Posts | GET, POST |
/wp/v2/pages | Pages | GET, POST |
/wp/v2/users | Users | GET, POST |
/wp/v2/media | Media | GET, POST |
/wp/v2/categories | Categories | GET, POST |
/wp/v2/tags | Tags | GET, POST |
/wp/v2/comments | Comments | GET, POST |
/wp/v2/block-patterns | Block patterns | GET |
/wp/v2/templates | Templates | GET, POST |
/wp/v2/navigation | Navigation menus | GET, POST |
/wp/v2/global-styles | Global styles (FSE) | GET, POST |
/wp/v2/plugins | Plugins | GET, POST, DELETE |
/wp/v2/settings | Site settings | GET, PUT |
/wp/v2/themes | Themes | GET |
/wp/v2/search | Search | GET |
Basic usage
# Get latest 10 posts with pagination
curl https://your-site.com/wp-json/wp/v2/posts?per_page=10&page=1
# Get a specific post with its meta
curl https://your-site.com/wp-json/wp/v2/posts/123?_embed=wp:term
# Create a post (requires authentication)
curl -X POST https://your-site.com/wp-json/wp/v2/posts \
-H 'Content-Type: application/json' \
-d '{"title": "My article", "content": "My content", "status": "publish"}'
Authentication
Method comparison
| Method | Complexity | Typical use | Security |
|---|---|---|---|
| Cookie (nonce) | Low | Themes, admin-side plugins | Limited (CSRF + nonce) |
| Basic Auth | Low | Tests, development | Low (HTTPS only) |
| JWT (JSON Web Token) | Medium | Headless apps, mobile | High (expiration, refresh) |
| OAuth 2.0 | High | Third-party apps, SaaS | Very high (Authorization Code Flow) |
| Application Password | Low | WP-CLI, scripts | Good (revocable, scoped) |
JWT — setup and usage
Step 1 — Install a JWT plugin (e.g. JWT Authentication for WP-API)
Step 2 — Configure in wp-config.php:
define('JWT_AUTH_SECRET_KEY', 'your-very-long-secret-key');
define('JWT_AUTH_CORS_ENABLE', true);
Step 3 — Obtain a token:
curl -X POST https://your-site.com/wp-json/jwt-auth/v1/token \
-H 'Content-Type: application/json' \
-d '{"username": "admin", "password": "my-password"}'
# Response: {"token": "eyJhbGciOiJIUzI1NiIs...", "user_email": "admin@site.com"}
Step 4 — Use the token in authenticated requests:
curl https://your-site.com/wp-json/wp/v2/posts \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIs...'
Step 5 — Refresh the token (before expiration):
curl -X POST https://your-site.com/wp-json/jwt-auth/v1/token/refresh \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIs...'
JWT vs OAuth 2.0 comparison
| Criteria | JWT | OAuth 2.0 |
|---|---|---|
| Implementation ease | Simple | Complex |
| Performance (no DB lookup) | Yes (self-contained token) | No (server verification) |
| Immediate revocation | No (unless blacklisted) | Yes (Authorization Server) |
| Ideal for | First-party apps, mobile | Third-party apps, public API |
| Expiration | Built-in (exp claim) | Via Access + Refresh Token |
| WordPress maturity | Very good (mature plugins) | Native support since WP 7.0 |
Creating a custom CRUD endpoint
Route structure
add_action('rest_api_init', function () {
register_rest_route('volade/v1', '/products', [
[
'methods' => 'GET',
'callback' => 'volade_get_products',
'permission_callback' => '__return_true',
],
[
'methods' => 'POST',
'callback' => 'volade_create_product',
'permission_callback' => 'volade_check_admin_permission',
],
]);
});
GET callback with parameters
function volade_get_products($request) {
$args = [
'post_type' => 'product',
'posts_per_page' => $request->get_param('per_page') ?: 10,
'paged' => $request->get_param('page') ?: 1,
'meta_query' => [
[
'key' => 'price',
'value' => $request->get_param('price_min'),
'type' => 'NUMERIC',
'compare' => '>='
]
]
];
$query = new WP_Query($args);
$products = [];
foreach ($query->posts as $post) {
$products[] = [
'id' => $post->ID,
'title' => $post->post_title,
'price' => get_post_meta($post->ID, 'price', true),
];
}
return new WP_REST_Response([
'products' => $products,
'total' => $query->found_posts,
'pages' => $query->max_num_pages,
], 200);
}
Typical permission callback
function volade_check_admin_permission() {
if (!current_user_can('manage_options')) {
return new WP_Error(
'rest_forbidden',
'You must be an administrator.',
['status' => 403]
);
}
return true;
}
POST endpoint to create a resource
function volade_create_product($request) {
$body = json_decode($request->get_body(), true);
if (empty($body['title']) || empty($body['price'])) {
return new WP_Error(
'missing_fields',
'The "title" and "price" fields are required.',
['status' => 400]
);
}
$post_id = wp_insert_post([
'post_title' => sanitize_text_field($body['title']),
'post_content' => sanitize_textarea_field($body['description'] ?? ''),
'post_type' => 'product',
'post_status' => 'publish',
]);
if (is_wp_error($post_id)) {
return new WP_Error('creation_failed', 'Could not create the product.', ['status' => 500]);
}
update_post_meta($post_id, 'price', floatval($body['price']));
return new WP_REST_Response([
'id' => $post_id,
'title' => $body['title'],
'price' => $body['price'],
'link' => rest_url("volade/v1/products/{$post_id}"),
], 201);
}
REST pattern reference
| Pattern | Usage | Method |
|---|---|---|
GET /volade/v1/products | List products | GET |
GET /volade/v1/products/{id} | Single product | GET |
POST /volade/v1/products | Create a product | POST |
PUT /volade/v1/products/{id} | Update a product | PUT |
DELETE /volade/v1/products/{id} | Delete a product | DELETE |
WooCommerce API
WooCommerce exposes its own REST API at /wc/v3/ endpoints.
Main endpoints
| Endpoint | Resource |
|---|---|
/wc/v3/products | Products |
/wc/v3/orders | Orders |
/wc/v3/customers | Customers |
/wc/v3/categories | Categories |
/wc/v3/shipping/zones | Shipping zones |
/wc/v3/payment-gateways | Payment gateways |
/wc/v3/reports | Reports |
/wc/v3/coupons | Coupons |
/wc/v3/taxes | Taxes |
/wc/v3/refunds | Refunds |
WooCommerce API authentication
Two methods:
1. API Keys (recommended)
curl -X GET https://your-site.com/wp-json/wc/v3/products \
-u "ck_your_consumer_key:cs_your_consumer_secret"
2. JWT (if already using a headless token)
The WooCommerce API respects the same JWT token as the standard WordPress API.
Example: create an order via API
curl -X POST https://your-site.com/wp-json/wc/v3/orders \
-u "ck_key:cs_secret" \
-H 'Content-Type: application/json' \
-d '{
"payment_method": "bacs",
"payment_method_title": "Bank Transfer",
"set_paid": false,
"billing": {
"first_name": "John",
"last_name": "Doe",
"address_1": "123 Main St",
"city": "New York",
"country": "US",
"email": "john@example.com",
"phone": "1234567890"
},
"line_items": [
{
"product_id": 123,
"quantity": 2
}
]
}'
REST API security checklist
- Disable unused endpoints (via
rest_endpointsfilter) - Limit exposed methods (
GETonly when possible) - Validate and sanitize all inputs (sanitize/validate callbacks)
- Implement custom rate limiting (or use a plugin)
- Enforce strict HTTPS
- Protect
/usersendpoint (don't expose emails) - Disable XMLRPC if unused (legacy attack surface)
- Log unauthorized access attempts
What we take away
The WordPress REST API has become a central piece of the ecosystem in 2026. Whether you're building a headless app, a custom dashboard, or integrating WooCommerce with a CRM, mastering endpoints, authentication, and permissions is essential.
Start by understanding native endpoints — they cover 80% of needs without custom code.
Choose the right authentication method: JWT for headless apps, OAuth 2.0 for third-party apps, Application Passwords for internal scripts.
Build custom endpoints with best practices: strict permission callbacks, input validation, pagination, structured responses.
Secure everything you expose — a misconfigured REST API is an open door to your site.
Article updated July 9, 2026. Sources: WordPress REST API Handbook, WooCommerce REST API docs, Volade field tests.
Ready to take action?
Explore the Volade catalog — no account required to get started.
Your feedback matters
Comment on “WordPress REST API 2026: complete guide — endpoints, JWT authentication, CRUD, WooCommerce API” or rate this article to help the community.
people shared this article