This question already has answers here: wp_get_current_user() function not working in Rest API callback function (4 answers) Closed 5 years ago.

In a custom REST API method, I would like to identify the user (typically get_current_user_id() then retrieve their data from database (things like they're role and some custom permission).

But so far get_current_user_id() returns 0 (which is not the current user ID).

Is it possible to identify user in REST API?

Otherwise, a solution I see is using a page as "sort of" API ... but I think that would be an ugly solution.

This question already has answers here: wp_get_current_user() function not working in Rest API callback function (4 answers) Closed 5 years ago.

In a custom REST API method, I would like to identify the user (typically get_current_user_id() then retrieve their data from database (things like they're role and some custom permission).

But so far get_current_user_id() returns 0 (which is not the current user ID).

Is it possible to identify user in REST API?

Otherwise, a solution I see is using a page as "sort of" API ... but I think that would be an ugly solution.

• users
• user-roles
• rest-api

Share Improve this question edited Apr 10, 2019 at 16:23 TTT asked Apr 10, 2019 at 16:15 TTTTTT 32911 gold badge44 silver badges1717 bronze badges 4

• Look at my answer at wordpress.stackexchange/a/329992/30597 – this will only work when passing nonce to the request. – norman.lol Commented Apr 10, 2019 at 16:33
• 1 It looks like actual duplicate this time, just didn't search with the right keywords. However I have a subquestion ... (I'm not familiar with the word "nonce", English is not my mother language) the nonce is not something that someone could forge in client side to pretend they're another user, right? – TTT Commented Apr 10, 2019 at 16:39
• 1 Yep, WordPress security tokens are called "nonce". See codex.wordpress/WordPress_Nonces – norman.lol Commented Apr 10, 2019 at 16:46
• 1 A nonce en.wikipedia/wiki/Cryptographic_nonce is a pseudo random number used to prevent replay attacks and other security threats. It's also a word for something rather unfortunate in the UK. Authenticated REST API requests should include a nonce+cookie when sent from the browser – Tom J Nowell ♦ Commented Apr 10, 2019 at 17:19

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

I spent two days searching for a simple way without adding plugins.

first in function.php where you define your api

//enqueue the script which will use the api
function api_callings_scripts() {
    wp_enqueue_script('score-script', get_template_directory_uri() . '/js/ScoreSaving.js', ['jquery'], NULL, TRUE);
    // Pass nonce to JS.
    wp_localize_script('score-script', 'ScoreSettings', [
      'nonce' => wp_create_nonce('wp_rest'),
    ]);
}
add_action( 'wp_enqueue_scripts', 'api_callings_scripts' ); 

Then your script Ajax call cloud be something like this

jQuery.ajax({
      type: "POST",
      url: "/wp-json/score/update",
      data: {"var1":"value1"},
      beforeSend: function(xhr) {
        xhr.setRequestHeader('X-WP-Nonce', ScoreSettings.nonce);
      },
    success: 
        function( data ) {
          console.log( data );
        }
    });

Now you can use get_current_user_id() inside your API code.