Diving in to OAuth 1 and the WP API

We recently worked on a project that called for an integration of an existing WordPress site into a new web application. After considering our different build options, we settled on building out a Ruby on Rails application that would authenticate to the existing WordPress blog. Making use of the WP API, we were able to pull in content from the other site, store it in our applications database, and use throughout the new application.

Why OAuth 1?

To better understand the inclination to use OAuth 1 let’s look at a quick overview of the authentication flow. The typical flow for OAuth 1 goes a little something like this:

  1. There is a manual sign up process by which the client registers with the authentication provider and gets a client key and secret.
  2. The client then sends a request through with client key and client secret and gets back a temporary oauth token and oauth token secret.
  3. These temporary tokens are then used to send an authorization request to the resource owner. This step is often done by directing the user to a specific url. When the owner authorizes the request the user receives a verification code.
  4. A final request is then sent along with the verification code to receive the more permanent oauth token and oauth token secret.
  5. The more permanent tokens are sent in the header of all future requests requiring authorization.

One of the major pitfalls of this flow is the need for the manual in browser authentication and copying of the verification code. The benefit is the longer lifespan of the authentication tokens once procured. Given we planned on authenticating one application to one WordPress site OAuth 1 seemed a reasonable choice.

OAuth 1 and WordPress

To authenticate to, and start using the WP API in WordPress we need to install two plugins to our existing WordPress site: WP Rest API v2.0 and WP API OAuth 1.0a Server.

Once these are installed you will see a new ‘Applications’ option under the user tab in your dashboard. Select that and then create a new registered application. Give it a name and a description and set the callback url to that of your site. If at any time you delete this registered application requests from consumers who authenticated against it will no longer be valid.

Now you are ready to start that sweet, sweet OAuth 1 flow.

What do these OAuth 1 Steps actually look like in plain English? Better yet, in Postman?

Part of the OAuth 1 flow will take place out of the application. We opted to use Postman to send these initial requests.

Sending the request with client key and secret to obtain temporary token and token secret

In Postman open a new tab to create a new request. We are going to make a GET request to:


Under the ‘Authorization’ tab select OAuth 1 and fill out the Consumer Key and Consumer secret with those you obtained when you created your new registered application. Update and then send that request!

Postman will generate a Nonce and OAuth Signature to send along with the request (thanks Postman!!). When the request is successfully sent and returned you should receive an oauth token, oauth token secret, and callback confirmation. The first two will be used in the next step.

Getting authorization from the resource owner

This step will take place in the browser. Open a new tab and paste in the following url:


The oauth token and oauth token secret are those that were obtained in the previous step.

From here you should be redirected to an authorization screen with the name of the registered app you are authorizing displayed. Hit authorize and you will be redirected to a screen with an authorization code. Hold on to this as we will use it in the next step.

Get the permanent oauth token and secret.

Back in Postman we are going to make a final request to get the permanent oauth token and secret that we can then send along with the requests in our application. Open a new tab and send a GET request to the following url:


The verification code is the one you just copied from the in browser authentication step.

Under Authorization copy your consumer key and consumer secret from when you created your registered application in the WordPress backend. Include the token and token secret that were returned in the first request. Update the request and hit send! You will get back an oauth token and oauth token secret, which you can now send along with requests from your app.

Send a practice request

Before pulling data from our WordPress sites into an app, try making a request from Postman. Why not get some posts. In Postman open a new tab and select GET. Enter the following url:


This will return up to 10 posts by default. You can checkout other accepted request parameters and endpoints in the WP Rest API v2 documentation. Under Authorization select OAuth 1. Enter your consumer key and secret (those from when you created the registered app) and the oauth token and oauth token secret (the ones returned from your last request). Update the request and hit send. You should get back a nice array with some posts.

That’s it!

You have now successfully completed the OAuth 1 flow with the WP API. The next step is to create an application and start making requests from within the app. Our next post will cover the creation of a simple Ruby on Rails application that pulls post information from the WP API.