Some REST API requests require authentication to return information for a request – for example the endpoint:

GET https://demo.theeventscalendar.com/wp-json/tribe/tickets/v1/attendees

is a valid endpoint to return all attendees for the given site, but without proper authentication, a site that has attendees will still return:

{
  "rest_url": "https://demo.theeventscalendar.com/wp-json/tribe/tickets/v1/attendees/",
  "total": 0,
  "total_pages": 0,
  "attendees": []
}

Since our REST API is built on top of the WordPress API, the same authentication practices are baked in. This ensures that sensitive information (such as attendees’ personal data) remains protected.

You can refer to this article for more basics on using our Event/Ticket REST API.

Set up an Authentication Method

Luckily, it is relatively simple to set up authentication methods for using the REST API within your site! Here are three options:

  1. Basic Auth plugin: Recommended for simple authentication. It allows you to use your WordPress admin credentials for API requests.
  2. JWT Authentication plugin: For a more advanced JWT (JSON Web Token) authentication
  3. Nonce Authentication: Create a nonce using the wp_create_nonce() function with the action set to 'wp_rest'. This method requires more technical understanding but is very versatile once set up.

Regardless of the option you choose here, you are basically setting up a secret password (token) within your site that will allow you to have access to otherwise protected information or actions. This authentication process is already happening “under the hood” on every page you visit when you are logged in to the admin side of your site, but for use in REST API calls this needs to be explicitly set up.

Make a REST Request using curl

Using the same example as before, how would we GET all the attendees from our site? For the purposes of this example, let’s assume you have the Basic Auth plugin installed and activated, which allows you to use your WP admin credentials for authentication using a curl request. In a terminal, you can then run a command like this (replacing user:pass with your WP username and password and update the URL):

curl --user user:pass -X GET \
    -H "Content-Type: application/json" \
    [https://www.yoursite.url]/wp-json/tribe/tickets/v1/attendees

Using a locally hosted site with one attendee as an example, this is what the response will look like:

{
  "rest_url": "https://stable.dev.lndo.site/wp-json/tribe/tickets/v1/attendees/",
  "total": 1,
  "total_pages": 1,
  "attendees": [
    {
      "id": 33,
      "post_id": 29,
      "ticket_id": 30,
      "global_id": "stable.dev.lndo.site?type=attendee&id=33",
      "global_id_lineage": ["stable.dev.lndo.site?type=attendee&id=33"],
      "author": "1",
      "status": "publish",
      "date": "2024-06-06 15:36:45",
      "date_utc": "2024-06-06 21:36:45",
      "modified": "2024-06-06 15:36:45",
      "modified_utc": "2024-06-06 21:36:45",
      "rest_url": "https://stable.dev.lndo.site/wp-json/tribe/tickets/v1/attendees/33",
      "ticket": {
        "id": "30",
        "title": "Entree",
        "description": "Allows entree to the BBQ",
        "raw_price": 20,
        "formatted_price": "20.00",
        "currency_config": {
          "symbol": "$",
          "placement": "prefix",
          "decimal_point": ".",
          "thousands_sep": ",",
          "number_of_decimals": 2
        },
        "start_sale": "2024-06-01",
        "end_sale": "2024-07-01"
      },
      "title": "Steve Harvey",
      "optout": true,
      "provider": "woo",
      "order": "32",
      "sku": "",
      "email": "[email protected]",
      "checked_in": false,
      "checkin_details": false,
      "is_subscribed": false,
      "is_purchaser": true,
      "payment": {
        "provider": "woo",
        "price": 20,
        "currency": "$",
        "date": "2024-06-06 15:36:16",
        "date_details": {
          "year": "2024",
          "month": "06",
          "day": "06",
          "hour": "15",
          "minutes": "36",
          "seconds": "16"
        }
      }
    }
  ]
}

Making a REST Request with AJAX

This section will assume that you know how to set up a basic AJAX call (but here is a guide if you need help getting started).

In your PHP where you have the script enqueued, you can add a nonce as a localized variable with wp_localize_script(): 

// Localize the script with the nonce
wp_localize_script( 'handle-of-script', 'localized_script_variables', array( 
    'ajax_url'      => admin_url( 'admin-ajax.php' ),
    'rest_endpoint' => '/wp-json/tribe/tickets/v1/attendees/',
    'nonce'         => wp_create_nonce( 'wp_rest' ),
) );

Then in your Javascript file, use the nonce to authenticate your request:

$.ajax({
    url: localized_script_variables.ajax_url,
    type: 'GET',
    dataType: 'json',
    headers: {
        'X-WP-Nonce': localized_script_variables.nonce,
    },
    success: renderAttendees // This can be a callback that handles the attendees in the response.
});

This ensures that your AJAX request is authenticated and securely retrieves the data you need. You can test that the authentication is happening by triggering the AJAX call as a logged-in user versus an incognito window.

Wrapping Up

If you run into any issues, feel free to open a ticket with our support team. We’re always here to help with the basics, but please keep in mind that our ability to assist with customizations might be a bit limited. Happy coding!

TAGS:
Notify us of out of date information