Using Postman with the WordPress REST API
David Woolf
Posted on August 26, 2021
Postman is a powerful tool to send URL requests and view the response data back. While you can do public GET requests in any browser, Postman offers the following:
- POST, PUT, and DELETE requests (along with a bunch more)
- Passing headers
- Passing body data
- Authentication
- Viewing the response as different types of data
- Saving your responses for use later
Sending your first request
First, make sure you download and install the Postman app from here. We'll be using the desktop version to walk through making requests and viewing the results.
Once the app is installed, you should see something like this:
To start making requests, just click the + icon next to the Overview tab in the main column.
In the top area of the new tab, you have a few options:
- set the request type (defaults to GET)
- enter your url
- send the request
- Add url parameters, authorization, headers, and body data (we will not be covering the other options in this article)
The fastest way to get started is to test a public GET request. Whether you're working locally or with a live site, you can enter your WordPress site's url and append /wp-json/wp/v2/posts
With permalinks: **http://index.local/wp-json/wp/v2/posts**
Without permalinks: **http://index.local/?rest_route=/wp/v2/posts**
Once you enter the url, hit "Send" and you'll see the response at the bottom:
Postman does a few things here that are useful for testing:
- Displays the body response and formats the response automatically as JSON
- Provides other views like raw (this is super helpful when using print_r to debug)
- Has options to view any cookies in the request, and the headers that were sent back
- Provides the status, time the response took, and the size
Sending POST requests
To send POST (or PUT and DELETE requests) from Postman to WordPress, we'll need to authenticate our requests. This is a WordPress requirement as these types of requests need to happen when logged in.
There are a couple different ways to authenticate requests from Postman to WordPress.
Passing a nonce and cookie
If you are actively working in the WordPress dashboard and need to quickly test some API methods in Postman, you can actually pass your browser's nonce and cookie values in Postman.
This requires that you perform an action that sends the API request, which you will then read from the browser's inspector tools.
From any modern browser:
- Open up the browser's inspector tools
- Click the Network tab
- Filter to show only Fetch or XHR requests
- Refresh the page (or perform an action that will cause an API request)
- Click the request from the list in the inspector
- Click the Headers tab
- Find the request headers
- copy the X-WP-Nonce header value
Then in your Postman request tab:
- Click the Headers tab at the top, under the url bar
- Scroll to the bottom of the list and double click the key field to make it editable
- Enter X-WP-Nonce
- Double click the value field next to the key field
- Enter your nonce value
- Enter another header and name it Cookie
Now go back to your browser's inspector tools
- Find your cookies list
- Safari: Click Storage at the top, and then Cookies in the sidebar
- Chrome: Click Application at the top, then open the Cookies dropdown in the sidebar and select the site you are on
- Firefox: Click Storage at the top, then open the Cookies dropdown in the sidebar and select the site you are on
- Find the cookie starting with wordpress_logged_in
- Copy the full cookie name and paste it into the value for the Cookie header in Postman
- Add an = sign at the end
- Copy the full cookie value from the browser and enter if after the = sign
Once you're done, you will see two new headers that look something like this:
- X-WP-Nonce | ce243bbe44
- Cookie | wordpress_logged_in_9ab7178f511b0215ddb4f12594ea7d1b=david%7C1629648436%7CKRHVjvhnwKGvUxs6lUQ6PyaPiAgi6TfwjUGwalhCQm2%7C5948f6d8ebad2bbaab3984c1876020217d6a6e9db6b90dcdda9e10c0967d6182
As you can see, it's a lot of steps. But if you are working in a system where you can't add extra authentication and need to test a POST endpoint, it can be valuable.
Basic authentication with application passwords
Using basic authentication is a much easier way to authenticate requests if you have the option. It also lets you perform more powerful testing, as you could try requests as different users with varying roles to make sure your APIs are secure.
WordPress now comes with an application password generator for users, making basic auth easy to setup:
- Edit the user in WordPress you want to authenticate as
- Scroll down to Application Passwords
- Enter Postman in the "New Application Password Name"
- Click "Add New Application Password"
- The password will be shown and look something like this:
jMOs od2z uGji E4Pu oYMV v1HZ
- Make sure to copy the password before doing anything else. You can only see it the one time (if you screw up, revoke the password you just made and start over)
In your Postman request screen:
- Click Authorization under the url field
- Select Basic Auth from the type dropdown
- Enter your WordPress username
- Enter the password you copied
You are now setup to handle POST, PUT, and DELETE requests! To test this:
- Change the request dropdown next to the url to POST
- Enter your URL plus
/wp-json/wp/v2/posts/<id>
where<id>
is a post ID - Select the Body tab under the url field
- Select the raw radio option
- Change the Text dropdown on the right of the radio options to be JSON
- Enter:
{ "title": "New Title" }
- Click Send
If you follow these steps, you should see something like this:
Adding authentication for multiple requests
To make authentication even easier, you should create a collection for your requests, and set the authentication globally. That way you can spin up new requests without copy and pasting your username and password every time. To do this:
- Make sure your sidebar in Postman is open and set to Collections:
- Click the Create Collection button in the center
- Your collection will immediately be created and show authentication settings:
- Select Basic Auth and perform the same steps as authenticating a single request:
- Go back to your request tab and revert the Authorization settings back to "Inherit auth from parent"
- Lastly, save your request and add it into the new collection
Wrap Up
You are now ready to test your WordPress REST endpoints in Postman! With these steps you can quickly test one-off APIs when you don't have access to modify users or create collections for your different WordPress installations using basic authentication.
Author
Posted on August 26, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.