Access Control in API Routes

LeoLee

Hello!

I purchased the plus package and would like to assign different user access control in API Routes on my website. When I try to deny the GET and POST method in some API routes such as /wp/v2/custompost/ for some specific roles(Such as User Group A) in AAM, it still can get the information from the API route (/wp/v2/custompost/) by the user with the specific role. (I supposed will get the information about access deny for the user which was assigned in User Group A)

Website Details:
WordPress Version: 5.2.4
Plugin - AAM Plus Package (Ver: 5.3.3)
Plugin - Advanced Access Manager (Ver: 6.4.3)

Thank you!

Best Regards,
Leo Lee

vasyl

LeoLee hi Leo. You have to make sure that your API requests are authenticated. Please explain how do you authenticate them? JWT token, cookies, etc.?

LeoLee

Hi vasyl,

Thank you for your reply. In my website I don't have any authentication for API request. (Just install AAM and AAM Plus Package and then )

May I ask you for access control on API route the API requests must be authenticated? Do you have some examples how to authenticate them such as JWT token or cookies?

Thank you very much!

Best Regards,
Leo

vasyl

LeoLee good question,

If you do not authenticate your API request, then how another way WordPress core will determine who actually sends this request?

In the "Ultimate guide to WordPress JWT authentication" you can find information about authenticating requests with JWT Bearer token.

Regards,
Vasyl