Why does a custom API endpoint not work when authentication is applied?


I’ve added some custom API endpoints to my plugin. Here is one example.

add_action( 'rest_api_init', function () {
    register_rest_route( 'my-api/' . 'v1', '/get-uploads-dir', array(
        'methods' => 'GET',
        'callback' => array($this, 'api_get_uploads_dir'),
        'permission_callback' => function () {
          return current_user_can('upload_files');
} );

Here is the callback function.

public function api_get_uploads_dir($request) {

    $uploads_name = get_option(UPLOADS_FOLDER_NAME, "none");

    $data = array(
      'uploads_name' => $uploads_name,

    return $data;


I use this Javascript to call the API.

async function get_uploads_dir() {
    const endpoint="http://example.com/wp-json/my-api/v1/get-uploads-dir";
    try {
        const response = await fetch(endpoint);

        if (response.ok) {
          const data = await response.json();
        } else {
          console.error('Error: ' + response.status + ' - ' + response.statusText);
    } catch (error) {
        console.error('Fetch error: ', error);

This works with no issues. But when I add code for authentication to the Javascript function, the callback function, api_get_uploads_dir($request), is never triggered.

This code was added in the try block for passing the nonce.

const response = await fetch(endpoint, {
    method: 'GET',
    headers: {
     'Content-Type': 'application/json',
     'X-WP-Nonce': my_api.nonce // localized value, 'nonce'=> wp_create_nonce('wp-rest')

When the above code is added to the Javascript, the endpoint callback function will not be executed anymore when the endpoint is called and the response received is ‘Error: 403 – Forbidden’.

And this is how the callback function handles authentication.

$client_nonce = $request->get_header('x_wp_nonce');

if(!wp_verify_nonce($client_nonce, 'wp-rest')) {

But this code never gets a chance to run.

Are there any ideas why the endpoint function no longer runs when the nonce is included in the API call?

AlanP 2 months 2023-04-05T17:31:52-05:00 0 Answers 0 views 0

Leave an answer