WordPress REST API fix
Fix WordPress REST API permission_callback mistakes.
A good permission callback answers one narrow question: is this specific request allowed to run this specific callback for this specific user?
When to use this fix
- The route exists, but the response is
rest_forbidden,rest_cannot_create, or 403. - Authentication works, but only some roles can complete the request.
- A custom route uses
__return_truefor a private write action. - You need to separate public reads from private writes.
Callback decision map
| Route type | Bad permission pattern | Safer pattern |
|---|---|---|
| Public read | Requires admin for harmless public data | Return true only for data that is genuinely public. |
| Private read | Returns true and exposes user data | Check is_user_logged_in() or a specific capability. |
| Post create/update | Uses __return_true | Check current_user_can('edit_posts'). |
| Settings update | Checks logged-in only | Check manage_options. |
| Webhook receiver | Uses logged-in browser auth | Verify signature/shared secret instead of cookie auth. |
Before and after route
Before
register_rest_route('agency/v1', '/settings', [
'methods' => 'POST',
'callback' => 'agency_save_settings',
'permission_callback' => '__return_true',
]);After
register_rest_route('agency/v1', '/settings', [
'methods' => 'POST',
'callback' => 'agency_save_settings',
'permission_callback' => function () {
return current_user_can('manage_options');
},
]);Verification workflow
- Confirm the route appears in the REST index.
- Test unauthenticated access and record whether it returns 401/403.
- Test with the lowest role that should succeed.
- Test with a role that should fail.
- Only then debug callback payload validation.
Common false positives
rest_no_routeis not a permission callback failure; the route did not match.rest_cookie_invalid_noncecan stop before your callback logic matters.- Security-plugin 403 HTML can happen before WordPress route permissions run.
- An admin-only route working for admins does not prove editors or customers should work.