The documentation for WooCommerce Blocks has moved to the WooCommerce monorepo.
Please refer to the documentation in the new location as the files in this repository will no longer be updated and the repository will be archived.
- Store API Endpoints that Require Nonces
- Sending Nonce Tokens with requests
- Generating security nonces from WordPress
- Disabling Nonces for Development
Nonces are generated numbers used to verify origin and intent of requests for security purposes. You can read more about nonces in the WordPress codex.
POST requests to the /cart endpoints and all requests to the /checkout endpoints require a nonce to function. Failure to provide a valid nonce will return an error response.
Nonce tokens are included with the request headers. Create a request header named Nonce. This will be validated by the API.
Example:
curl --header "Nonce: 12345" --request GET https://example-store.com/wp-json/wc/store/v1/checkoutAfter making a successful request, an updated Nonce header will be sent back--this needs to be stored and updated by the client to make subsequent requests.
Nonces must be created using the wp_create_nonce function with the key wc_store_api.
wp_create_nonce( 'wc_store_api' )There is no other mechanism in place for creating nonces.
If you want to test REST endpoints without providing a nonce, you can use the following filter:
add_filter( 'woocommerce_store_api_disable_nonce_check', '__return_true' );Nonce checks will be bypassed if woocommerce_store_api_disable_nonce_check evaluates to true.
NOTE: This should only be done on development sites where security is not important. Do not enable this in production.
We're hiring! Come work with us!
🐞 Found a mistake, or have a suggestion? Leave feedback about this document here.