DEV Community

Cover image for Using Postman with the WordPress REST API
David Woolf
David Woolf

Posted on • Originally published at

Using Postman with the WordPress REST API

Postman is a powerful tool to send URL requests and view the response data back. While you can do public GET requests in any browser, Postman offers the following:

  • POST, PUT, and DELETE requests (along with a bunch more)
  • Passing headers
  • Passing body data
  • Authentication
  • Viewing the response as different types of data
  • Saving your responses for use later

Sending your first request

First, make sure you download and install the Postman app from here. We'll be using the desktop version to walk through making requests and viewing the results.

Once the app is installed, you should see something like this:

Screen shot of Postman with no configuration

To start making requests, just click the + icon next to the Overview tab in the main column.

Screen shot of Postman with a new request tab

In the top area of the new tab, you have a few options:

  • set the request type (defaults to GET)
  • enter your url
  • send the request
  • Add url parameters, authorization, headers, and body data (we will not be covering the other options in this article)

The fastest way to get started is to test a public GET request. Whether you're working locally or with a live site, you can enter your WordPress site's url and append /wp-json/wp/v2/posts

With permalinks: **http://index.local/wp-json/wp/v2/posts**
Without permalinks: **http://index.local/?rest_route=/wp/v2/posts**
Enter fullscreen mode Exit fullscreen mode

Once you enter the url, hit "Send" and you'll see the response at the bottom:

Screen shot of Postman with a GET request and the resulting JSON value

Postman does a few things here that are useful for testing:

  • Displays the body response and formats the response automatically as JSON
  • Provides other views like raw (this is super helpful when using print_r to debug)
  • Has options to view any cookies in the request, and the headers that were sent back
  • Provides the status, time the response took, and the size

Sending POST requests

To send POST (or PUT and DELETE requests) from Postman to WordPress, we'll need to authenticate our requests. This is a WordPress requirement as these types of requests need to happen when logged in.

There are a couple different ways to authenticate requests from Postman to WordPress.

Passing a nonce and cookie

If you are actively working in the WordPress dashboard and need to quickly test some API methods in Postman, you can actually pass your browser's nonce and cookie values in Postman.

This requires that you perform an action that sends the API request, which you will then read from the browser's inspector tools.

From any modern browser:

  1. Open up the browser's inspector tools
  2. Click the Network tab
  3. Filter to show only Fetch or XHR requests
  4. Refresh the page (or perform an action that will cause an API request)
  5. Click the request from the list in the inspector
  6. Click the Headers tab
  7. Find the request headers
  8. copy the X-WP-Nonce header value

Then in your Postman request tab:

  1. Click the Headers tab at the top, under the url bar
  2. Scroll to the bottom of the list and double click the key field to make it editable
  3. Enter X-WP-Nonce
  4. Double click the value field next to the key field
  5. Enter your nonce value
  6. Enter another header and name it Cookie

Now go back to your browser's inspector tools

  1. Find your cookies list
    1. Safari: Click Storage at the top, and then Cookies in the sidebar
    2. Chrome: Click Application at the top, then open the Cookies dropdown in the sidebar and select the site you are on
    3. Firefox: Click Storage at the top, then open the Cookies dropdown in the sidebar and select the site you are on
  2. Find the cookie starting with wordpress_logged_in
  3. Copy the full cookie name and paste it into the value for the Cookie header in Postman
  4. Add an = sign at the end
  5. Copy the full cookie value from the browser and enter if after the = sign

Once you're done, you will see two new headers that look something like this:

  • X-WP-Nonce | ce243bbe44
  • Cookie | wordpress_logged_in_9ab7178f511b0215ddb4f12594ea7d1b=david%7C1629648436%7CKRHVjvhnwKGvUxs6lUQ6PyaPiAgi6TfwjUGwalhCQm2%7C5948f6d8ebad2bbaab3984c1876020217d6a6e9db6b90dcdda9e10c0967d6182

As you can see, it's a lot of steps. But if you are working in a system where you can't add extra authentication and need to test a POST endpoint, it can be valuable.

Basic authentication with application passwords

Using basic authentication is a much easier way to authenticate requests if you have the option. It also lets you perform more powerful testing, as you could try requests as different users with varying roles to make sure your APIs are secure.

WordPress now comes with an application password generator for users, making basic auth easy to setup:

  1. Edit the user in WordPress you want to authenticate as
  2. Scroll down to Application Passwords
  3. Enter Postman in the "New Application Password Name"
  4. Click "Add New Application Password"
  5. The password will be shown and look something like this: jMOs od2z uGji E4Pu oYMV v1HZ
  6. Make sure to copy the password before doing anything else. You can only see it the one time (if you screw up, revoke the password you just made and start over)

In your Postman request screen:

  1. Click Authorization under the url field
  2. Select Basic Auth from the type dropdown
  3. Enter your WordPress username
  4. Enter the password you copied

Screen shot of a Postman request tab top area

You are now setup to handle POST, PUT, and DELETE requests! To test this:

  1. Change the request dropdown next to the url to POST
  2. Enter your URL plus /wp-json/wp/v2/posts/<id> where <id> is a post ID
  3. Select the Body tab under the url field
  4. Select the raw radio option
  5. Change the Text dropdown on the right of the radio options to be JSON
  6. Enter: { "title": "New Title" }
  7. Click Send

If you follow these steps, you should see something like this:

Postman request tab with body settings selected

Adding authentication for multiple requests

To make authentication even easier, you should create a collection for your requests, and set the authentication globally. That way you can spin up new requests without copy and pasting your username and password every time. To do this:

  1. Make sure your sidebar in Postman is open and set to Collections:

Postman left hand sidebar with collections

  1. Click the Create Collection button in the center
  2. Your collection will immediately be created and show authentication settings:

A new collection in Postman

  1. Select Basic Auth and perform the same steps as authenticating a single request:

Zoomed in screenshot of Basic authentication settings in Postman

  1. Go back to your request tab and revert the Authorization settings back to "Inherit auth from parent"
  2. Lastly, save your request and add it into the new collection

Wrap Up

You are now ready to test your WordPress REST endpoints in Postman! With these steps you can quickly test one-off APIs when you don't have access to modify users or create collections for your different WordPress installations using basic authentication.


david_woolf image

Top comments (1)

fuadhasan08 profile image
Fuad Hasan • Edited

Thanks for this. The copy paste method works fine.

But, since Wordpress latest versions the Application password method is not working anymore. It is responding something like that

"code": "incorrect_password",
"message": "The provided password is an invalid application password.",
"data": {
"status": 401

Hope you will update the blog with new method of using Application Password plugin.