Skip to main content

REST API Authentication

The WooCommerce REST API requires authentication for all requests. This guide covers the available authentication methods and how to implement them.

Authentication Methods

WooCommerce supports multiple authentication methods:
  1. REST API Keys (Recommended for most integrations)
  2. OAuth 1.0a (For third-party applications)
  3. Basic Authentication (HTTPS only, simple testing)
  4. JWT (JSON Web Tokens, with plugins)

REST API Keys

The recommended authentication method for most integrations. API keys are generated through the WooCommerce admin interface.

Generating API Keys

  1. Navigate to WooCommerce > Settings > Advanced
  2. Click the REST API tab
  3. Click Add key
  4. Configure the key:
    • Description: Name to identify the key (e.g., “Mobile App Integration”)
    • User: WordPress user with appropriate permissions
    • Permissions: Read, Write, or Read/Write
  5. Click Generate API Key
  6. Save your keys immediately - the Consumer Secret is shown only once
Store your Consumer Key and Consumer Secret securely. The Consumer Secret cannot be retrieved after closing the page.

Key Components

After generation, you’ll receive:
  • Consumer Key: Public identifier (e.g., ck_1234567890abcdef)
  • Consumer Secret: Private key (e.g., cs_1234567890abcdef)

Using API Keys with HTTPS

When your site uses HTTPS, use HTTP Basic Authentication: 
curl https://example.com/wp-json/wc/v3/products \
  -u ck_1234567890abcdef:cs_1234567890abcdef

Using API Keys with HTTP

If your site only supports HTTP, pass credentials as query parameters:
HTTP is not secure. Credentials are transmitted in plain text and can be intercepted. Use HTTPS whenever possible.
curl http://example.com/wp-json/wc/v3/products \
  ?consumer_key=ck_1234567890abcdef \
  &consumer_secret=cs_1234567890abcdef

OAuth 1.0a Authentication

OAuth 1.0a is designed for third-party applications that need to access customer stores without storing passwords.

When to Use OAuth

  • Building a SaaS application
  • Creating marketplace integrations
  • Allowing multiple stores to connect
  • Need to revoke access without changing passwords

OAuth Flow

  1. Request Token: Get temporary credentials
  2. Authorization: Redirect user to approve access
  3. Access Token: Exchange for permanent credentials
  4. API Requests: Use access token for authentication

Implementation Example

const OAuth = require('oauth-1.0a');
const crypto = require('crypto');
const axios = require('axios');

const oauth = OAuth({
  consumer: {
    key: 'ck_1234567890abcdef',
    secret: 'cs_1234567890abcdef'
  },
  signature_method: 'HMAC-SHA256',
  hash_function(base_string, key) {
    return crypto
      .createHmac('sha256', key)
      .update(base_string)
      .digest('base64');
  }
});

const request_data = {
  url: 'https://example.com/wp-json/wc/v3/products',
  method: 'GET'
};

const headers = oauth.toHeader(oauth.authorize(request_data));

axios.get(request_data.url, { headers })
  .then(response => console.log(response.data))
  .catch(error => console.error(error));

OAuth Parameters

OAuth requests include these parameters:
  • oauth_consumer_key: Your consumer key
  • oauth_timestamp: Current Unix timestamp
  • oauth_nonce: Unique random string
  • oauth_signature: Request signature
  • oauth_signature_method: Usually HMAC-SHA256

Basic Authentication Plugin

For development and testing, you can use the Basic Authentication plugin.
Basic Authentication should ONLY be used for development/testing with HTTPS. Never use in production.

Installation

  1. Download WooCommerce Basic Auth plugin
  2. Install and activate the plugin
  3. Use WordPress username and password for authentication

Example Request

curl https://example.com/wp-json/wc/v3/products \
  -u username:password

JWT Authentication

JSON Web Tokens provide stateless authentication with enhanced security.

Setup

  1. Install a JWT authentication plugin:
  2. Configure your .htaccess or server to pass Authorization headers

Obtaining a Token

curl -X POST https://example.com/wp-json/jwt-auth/v1/token \
  -d "username=your_username" \
  -d "password=your_password"
Response: 
{
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
  "user_email": "[email protected]",
  "user_nicename": "username",
  "user_display_name": "User Name"
}

Using the Token

curl https://example.com/wp-json/wc/v3/products \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."

Testing Authentication

Using Postman

  1. Create a new request
  2. Set URL: https://example.com/wp-json/wc/v3/products
  3. Go to Authorization tab
  4. Select Basic Auth
  5. Enter Consumer Key as username
  6. Enter Consumer Secret as password
  7. Send request

Using Insomnia

  1. Create a new request
  2. Set URL: https://example.com/wp-json/wc/v3/products
  3. Go to Auth tab
  4. Select Basic Auth
  5. Enter Consumer Key and Consumer Secret
  6. Send request

Common Authentication Errors

401 Unauthorized

Cause: Invalid credentials or signature Solutions:
  • Verify Consumer Key and Consumer Secret are correct
  • Check that the user has appropriate permissions
  • Ensure credentials haven’t been revoked
  • Generate new API keys

Consumer Key is Missing

Cause: Server not parsing Authorization header correctly Solution: Pass credentials as query parameters: 
https://example.com/wp-json/wc/v3/orders?consumer_key=ck_xxx&consumer_secret=cs_xxx

403 Forbidden

Cause: User lacks required permissions Solution:
  • Ensure the user has edit_posts capability
  • Check API key permissions (Read/Write)
  • Verify user role has appropriate capabilities

SSL Certificate Errors

Cause: Self-signed or invalid SSL certificate Solution for Testing Only:
  • Disable SSL verification (Postman/Insomnia settings)
  • Use proper SSL certificate in production

Security Best Practices

Follow these security guidelines to protect your store and customer data.

1. Always Use HTTPS

# Good
https://example.com/wp-json/wc/v3/products

# Bad - credentials transmitted in plain text
http://example.com/wp-json/wc/v3/products

2. Limit Key Permissions

  • Use Read permission for data retrieval only
  • Use Write permission only when necessary
  • Create separate keys for different integrations

3. Rotate Keys Regularly

  • Generate new keys periodically
  • Revoke old keys after migration
  • Monitor key usage in WooCommerce logs

4. Store Credentials Securely

// Good - Use environment variables
const API_KEY = process.env.WC_CONSUMER_KEY;
const API_SECRET = process.env.WC_CONSUMER_SECRET;

// Bad - Hardcoded credentials
const API_KEY = 'ck_1234567890abcdef';

5. Implement Rate Limiting

// Example: Rate limiting with retry logic
const makeRequest = async (url, retries = 3) => {
  try {
    return await api.get(url);
  } catch (error) {
    if (error.response?.status === 429 && retries > 0) {
      await new Promise(resolve => setTimeout(resolve, 1000));
      return makeRequest(url, retries - 1);
    }
    throw error;
  }
};

6. Validate SSL Certificates

# Good - Verify SSL certificates
import requests
response = requests.get(url, auth=auth, verify=True)

# Bad - Disabling SSL verification
response = requests.get(url, auth=auth, verify=False)

Authentication with FastCGI

If your server uses FastCGI, authorization headers may not be passed correctly.

Solution 1: Modify .htaccess

Add to your .htaccess file: 
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

Solution 2: Use Query Parameters

Pass credentials in the URL: 
https://example.com/wp-json/wc/v3/products?consumer_key=ck_xxx&consumer_secret=cs_xxx

Webhook Authentication

When WooCommerce sends webhook requests to your application, it includes a signature for verification.

Verifying Webhook Signatures

const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const hash = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('base64');
  
  return hash === signature;
}

// Express.js middleware
app.post('/woocommerce-webhook', (req, res) => {
  const signature = req.headers['x-wc-webhook-signature'];
  const payload = JSON.stringify(req.body);
  
  if (!verifyWebhook(payload, signature, webhookSecret)) {
    return res.status(401).send('Invalid signature');
  }
  
  // Process webhook
  res.sendStatus(200);
});

Next Steps

Products API

Learn how to manage products

Orders API

Create and update orders

Build docs developers (and LLMs) love

Get started for freeTalk to us