Back to blog
Guideswordpress · rest api

WordPress REST API 2026: complete guide — endpoints, JWT authentication, CRUD, WooCommerce API

Complete guide to the WordPress REST API 2026: native endpoints, JWT authentication, custom CRUD creation, WooCommerce API, best practices and security.

Volade teamJune 11, 20267 min read
0 views0 comments0 reviews0 shares
Share on
WordPress REST API 2026 — Complete guide endpoints, JWT, CRUD

The WordPress REST API transformed the CMS into a headless platform. In 2026, it powers most decoupled architectures, mobile apps, Vue.js/React dashboards, and SaaS integrations.

Yet many use it without understanding the underlying mechanisms: authentication, permission callbacks, pagination, caching, rate limiting. That ends in exposed endpoints without controls, N+1 queries, and security vulnerabilities.

This guide covers everything you need to master the WordPress REST API in 2026 — from native endpoints to custom route creation, JWT authentication, and the WooCommerce API.

Native API REST endpoints

Main resources

EndpointResourceMethods
/wp/v2/postsPostsGET, POST
/wp/v2/pagesPagesGET, POST
/wp/v2/usersUsersGET, POST
/wp/v2/mediaMediaGET, POST
/wp/v2/categoriesCategoriesGET, POST
/wp/v2/tagsTagsGET, POST
/wp/v2/commentsCommentsGET, POST
/wp/v2/block-patternsBlock patternsGET
/wp/v2/templatesTemplatesGET, POST
/wp/v2/navigationNavigation menusGET, POST
/wp/v2/global-stylesGlobal styles (FSE)GET, POST
/wp/v2/pluginsPluginsGET, POST, DELETE
/wp/v2/settingsSite settingsGET, PUT
/wp/v2/themesThemesGET
/wp/v2/searchSearchGET

Basic usage

# Get latest 10 posts with pagination
curl https://your-site.com/wp-json/wp/v2/posts?per_page=10&page=1

# Get a specific post with its meta
curl https://your-site.com/wp-json/wp/v2/posts/123?_embed=wp:term

# Create a post (requires authentication)
curl -X POST https://your-site.com/wp-json/wp/v2/posts \
  -H 'Content-Type: application/json' \
  -d '{"title": "My article", "content": "My content", "status": "publish"}'

Authentication

Method comparison

MethodComplexityTypical useSecurity
Cookie (nonce)LowThemes, admin-side pluginsLimited (CSRF + nonce)
Basic AuthLowTests, developmentLow (HTTPS only)
JWT (JSON Web Token)MediumHeadless apps, mobileHigh (expiration, refresh)
OAuth 2.0HighThird-party apps, SaaSVery high (Authorization Code Flow)
Application PasswordLowWP-CLI, scriptsGood (revocable, scoped)

JWT — setup and usage

Step 1 — Install a JWT plugin (e.g. JWT Authentication for WP-API)

Step 2 — Configure in wp-config.php:

define('JWT_AUTH_SECRET_KEY', 'your-very-long-secret-key');
define('JWT_AUTH_CORS_ENABLE', true);

Step 3 — Obtain a token:

curl -X POST https://your-site.com/wp-json/jwt-auth/v1/token \
  -H 'Content-Type: application/json' \
  -d '{"username": "admin", "password": "my-password"}'
# Response: {"token": "eyJhbGciOiJIUzI1NiIs...", "user_email": "admin@site.com"}

Step 4 — Use the token in authenticated requests:

curl https://your-site.com/wp-json/wp/v2/posts \
  -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIs...'

Step 5 — Refresh the token (before expiration):

curl -X POST https://your-site.com/wp-json/jwt-auth/v1/token/refresh \
  -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIs...'

JWT vs OAuth 2.0 comparison

CriteriaJWTOAuth 2.0
Implementation easeSimpleComplex
Performance (no DB lookup)Yes (self-contained token)No (server verification)
Immediate revocationNo (unless blacklisted)Yes (Authorization Server)
Ideal forFirst-party apps, mobileThird-party apps, public API
ExpirationBuilt-in (exp claim)Via Access + Refresh Token
WordPress maturityVery good (mature plugins)Native support since WP 7.0

Creating a custom CRUD endpoint

Route structure

add_action('rest_api_init', function () {
    register_rest_route('volade/v1', '/products', [
        [
            'methods'             => 'GET',
            'callback'            => 'volade_get_products',
            'permission_callback' => '__return_true',
        ],
        [
            'methods'             => 'POST',
            'callback'            => 'volade_create_product',
            'permission_callback' => 'volade_check_admin_permission',
        ],
    ]);
});

GET callback with parameters

function volade_get_products($request) {
    $args = [
        'post_type'      => 'product',
        'posts_per_page' => $request->get_param('per_page') ?: 10,
        'paged'          => $request->get_param('page') ?: 1,
        'meta_query'     => [
            [
                'key'   => 'price',
                'value' => $request->get_param('price_min'),
                'type'  => 'NUMERIC',
                'compare' => '>='
            ]
        ]
    ];

    $query = new WP_Query($args);
    $products = [];

    foreach ($query->posts as $post) {
        $products[] = [
            'id'    => $post->ID,
            'title' => $post->post_title,
            'price' => get_post_meta($post->ID, 'price', true),
        ];
    }

    return new WP_REST_Response([
        'products' => $products,
        'total'    => $query->found_posts,
        'pages'    => $query->max_num_pages,
    ], 200);
}

Typical permission callback

function volade_check_admin_permission() {
    if (!current_user_can('manage_options')) {
        return new WP_Error(
            'rest_forbidden',
            'You must be an administrator.',
            ['status' => 403]
        );
    }
    return true;
}

POST endpoint to create a resource

function volade_create_product($request) {
    $body = json_decode($request->get_body(), true);

    if (empty($body['title']) || empty($body['price'])) {
        return new WP_Error(
            'missing_fields',
            'The "title" and "price" fields are required.',
            ['status' => 400]
        );
    }

    $post_id = wp_insert_post([
        'post_title'   => sanitize_text_field($body['title']),
        'post_content' => sanitize_textarea_field($body['description'] ?? ''),
        'post_type'    => 'product',
        'post_status'  => 'publish',
    ]);

    if (is_wp_error($post_id)) {
        return new WP_Error('creation_failed', 'Could not create the product.', ['status' => 500]);
    }

    update_post_meta($post_id, 'price', floatval($body['price']));

    return new WP_REST_Response([
        'id'    => $post_id,
        'title' => $body['title'],
        'price' => $body['price'],
        'link'  => rest_url("volade/v1/products/{$post_id}"),
    ], 201);
}

REST pattern reference

PatternUsageMethod
GET /volade/v1/productsList productsGET
GET /volade/v1/products/{id}Single productGET
POST /volade/v1/productsCreate a productPOST
PUT /volade/v1/products/{id}Update a productPUT
DELETE /volade/v1/products/{id}Delete a productDELETE

WooCommerce API

WooCommerce exposes its own REST API at /wc/v3/ endpoints.

Main endpoints

EndpointResource
/wc/v3/productsProducts
/wc/v3/ordersOrders
/wc/v3/customersCustomers
/wc/v3/categoriesCategories
/wc/v3/shipping/zonesShipping zones
/wc/v3/payment-gatewaysPayment gateways
/wc/v3/reportsReports
/wc/v3/couponsCoupons
/wc/v3/taxesTaxes
/wc/v3/refundsRefunds

WooCommerce API authentication

Two methods:

1. API Keys (recommended)

curl -X GET https://your-site.com/wp-json/wc/v3/products \
  -u "ck_your_consumer_key:cs_your_consumer_secret"

2. JWT (if already using a headless token)

The WooCommerce API respects the same JWT token as the standard WordPress API.

Example: create an order via API

curl -X POST https://your-site.com/wp-json/wc/v3/orders \
  -u "ck_key:cs_secret" \
  -H 'Content-Type: application/json' \
  -d '{
    "payment_method": "bacs",
    "payment_method_title": "Bank Transfer",
    "set_paid": false,
    "billing": {
      "first_name": "John",
      "last_name": "Doe",
      "address_1": "123 Main St",
      "city": "New York",
      "country": "US",
      "email": "john@example.com",
      "phone": "1234567890"
    },
    "line_items": [
      {
        "product_id": 123,
        "quantity": 2
      }
    ]
  }'

REST API security checklist

  • Disable unused endpoints (via rest_endpoints filter)
  • Limit exposed methods (GET only when possible)
  • Validate and sanitize all inputs (sanitize/validate callbacks)
  • Implement custom rate limiting (or use a plugin)
  • Enforce strict HTTPS
  • Protect /users endpoint (don't expose emails)
  • Disable XMLRPC if unused (legacy attack surface)
  • Log unauthorized access attempts

What we take away

The WordPress REST API has become a central piece of the ecosystem in 2026. Whether you're building a headless app, a custom dashboard, or integrating WooCommerce with a CRM, mastering endpoints, authentication, and permissions is essential.

Start by understanding native endpoints — they cover 80% of needs without custom code.

Choose the right authentication method: JWT for headless apps, OAuth 2.0 for third-party apps, Application Passwords for internal scripts.

Build custom endpoints with best practices: strict permission callbacks, input validation, pagination, structured responses.

Secure everything you expose — a misconfigured REST API is an open door to your site.


Article updated July 9, 2026. Sources: WordPress REST API Handbook, WooCommerce REST API docs, Volade field tests.

Ready to take action?

Explore the Volade catalog — no account required to get started.

Browse extensionsSee V+ pricing
Free to startNo credit cardWooCommerce-firstMaintained in 2026
Discussion

Your feedback matters

Comment on “WordPress REST API 2026: complete guide — endpoints, JWT authentication, CRUD, WooCommerce API” or rate this article to help the community.

0

people shared this article

Share on

Sources & credits

WordPress documentation, Volade support tickets, and field testing on merchant sites.

#wordpress#rest-api#jwt#woocommerce#crud#development#2026

Don't miss a release

WordPress, WooCommerce and TikTok Shop guides — straight to your inbox.