---
title: WP Rest API
category: product
entity_type: skill
price: $15
canonical: https://forgehouse.ai/skills/wp-rest-api/
lang: en
hreflang_alt: https://forgehouse.ai/tr/skiller/wp-rest-api/
last_updated: 2026-06-20
---

# WP Rest API

> Integrate WordPress REST API with modern frontends.

A blueprint for turning WordPress into a secure headless backend for modern frontends like Next.js and Nuxt, mobile apps and webhooks. It covers custom route registration, three auth models (nonce, Application Passwords, JWT), capability-based access control, CORS whitelisting and rate limiting, wrapped in a five-layer defense chain so no endpoint ever ships with permission_callback left open.

## Use cases
- Registering custom REST routes with validation and sanitization
- Headless WordPress paired with Next.js or Nuxt
- Mobile app or third-party integration backends
- Webhook endpoints with signature verification
- Exposing custom post types and meta to a JS frontend
- On-demand ISR revalidation via cache tags

## Benefits
- Capability-scoped permission callbacks close the dangerous __return_true public-endpoint leak
- Five-layer defense (auth, capability, rate limit, validation, escaping) means one slip doesn't expose data
- _fields and per_page limits cut response size ~60% and raise CDN cache hit rate
- ISR webhook + revalidateTag keeps a Next.js frontend fresh without full rebuilds

## What’s included
- register_rest_route anatomy with type, required, validate and sanitize callbacks per arg
- Three auth patterns: X-WP-Nonce, Application Passwords (HTTPS required), and JWT
- Capability-based permission_callback examples (read vs edit_posts vs list_users)
- Explicit-whitelist CORS instead of wildcard, with credentials and headers
- Transient-based rate limiter returning proper 429 with Retry-After
- Next.js headless fetch pattern with revalidate, cache tags and on-demand webhook revalidation

## Who it’s for
Developers building headless WordPress, mobile backends or webhook integrations that demand secure, well-validated REST endpoints.

## How it runs
Exposing WordPress to a modern frontend starts with a contract, not a handler. Routes declare their types and validation up front, then auth, rate limits, CORS and caching stack into a five-layer defense.
1. Registers routes contract-first in a custom namespace (myapp/v1, never wp/v2): every argument declares type, required, validate_callback and sanitize_callback before the handler is written, and breaking changes go to a new version namespace.
2. Locks permission_callback with least privilege: specific capabilities like edit_posts or list_users instead of blanket manage_options, and __return_true only on endpoints whose public intent is explicit.
3. Picks the auth model by client: X-WP-Nonce header for same-origin frontends (nonce localized into the page script), Application Passwords for external clients and mobile apps, with HTTPS mandatory because App Passwords are forbidden over plain HTTP.
4. Stacks the remaining defense layers: a transient-based rate limit returning 429 with Retry-After at 100 requests per hour, and CORS as an explicit domain whitelist, never the wildcard that lets third-party sites steal tokens.
5. Engineers the cache and payload: Cache-Control public max-age 300 for shared data and private no-store for user data, _fields params to cut response size, and an ISR webhook so a WP save triggers Next.js revalidateTag instead of stale pages.
6. Verifies with the checklist: /wp-json/ namespace visible, OPTIONS returns the schema, correct 401/403/404/429 status codes, rate limit actually tested, pretty permalinks active.

## FAQ
### Does this fit a headless setup with Next.js, or only classic WordPress themes?
Headless is the core scenario: it includes the Next.js fetch pattern with revalidate and cache tags, plus on-demand ISR revalidation triggered by a WordPress webhook. The same route, auth and CORS patterns also serve mobile apps and third-party integrations.

### Why do I need a five-layer defense, isn't a permission_callback enough?
A permission callback alone leaves gaps: unvalidated args, wildcard CORS and unthrottled requests still expose you. The chain stacks auth, capability-scoped permissions, a transient-based rate limiter returning proper 429s, per-arg validation/sanitization and escaping, so one slip in any layer does not become a data leak.

### Will it manage my WordPress content or write the frontend pages themselves?
No. It builds the API layer: registering routes, securing them with nonce, Application Passwords or JWT, and wiring the fetch/revalidation side. Content production and the actual frontend UI are separate work it does not do.

## Price
$15, one-time, no subscription. VAT included.

Related guide: [AI code review and developer workflow](https://forgehouse.ai/guides/ai-code-review/)