How do I install wp-rest-api?

Run `npx skills add https://github.com/wordpress/agent-skills --skill wp-rest-api` in your terminal. You need to have run `npx skills init` once in your project first.

What does wp-rest-api do?

Register, validate, and debug WordPress REST API endpoints with schema enforcement and permission controls.

Which agent frameworks does wp-rest-api support?

wp-rest-api works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is wp-rest-api free to use?

Yes. wp-rest-api is free to install and use. It is available from the open explainx.ai skill registry published by wordpress.

Where can I read ratings and reviews for wp-rest-api?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

Backend

wp-rest-api▌

wordpress/agent-skills · updated Apr 8, 2026

$npx skills add https://github.com/wordpress/agent-skills --skill wp-rest-api

0 commentsdiscussion

summary

›Covers route registration via register_rest_route() and WP_REST_Controller subclasses, custom field exposure through register_rest_field and meta registration, and CPT/taxonomy REST exposure via show_in_rest
›Enforces schema validation, argument sanitization, and permission callbacks; supports cookie + nonce, application passwords, and custom auth plugins
›Includes triage workflo

skill.md

WP REST API

When to use

Use this skill when you need to:

create or update REST routes/endpoints
debug 401/403/404 errors or permission/nonce issues
add custom fields/meta to REST responses
expose custom post types or taxonomies via REST
implement schema + argument validation
adjust response links/embedding/pagination

Inputs required

Repo root + target plugin/theme/mu-plugin (path to entrypoint).
Desired namespace + version (e.g. my-plugin/v1) and routes.
Authentication mode (cookie + nonce vs application passwords vs auth plugin).
Target WordPress version constraints (if below 6.9, call out).

Procedure

0) Triage and locate REST usage

Run triage:
- node skills/wp-project-triage/scripts/detect_wp_project.mjs
Search for existing REST usage:
- register_rest_route
- WP_REST_Controller
- rest_api_init
- show_in_rest, rest_base, rest_controller_class

If this is a full site repo, pick the specific plugin/theme before changing code.

1) Choose the right approach

Expose CPT/taxonomy in wp/v2:
- Use show_in_rest => true + rest_base if needed.
- Optionally provide rest_controller_class.
- Read references/custom-content-types.md.
Custom endpoints:
- Use register_rest_route() on rest_api_init.
- Prefer a controller class (WP_REST_Controller subclass) for anything non-trivial.
- Read references/routes-and-endpoints.md and references/schema.md.

2) Register routes safely (namespaces, methods, permissions)

Use a unique namespace vendor/v1; avoid wp/* unless core.
Always provide permission_callback (use __return_true for public endpoints).
Use WP_REST_Server::READABLE/CREATABLE/EDITABLE/DELETABLE constants.
Return data via rest_ensure_response() or WP_REST_Response.
Return errors via WP_Error with an explicit status.

Read references/routes-and-endpoints.md.

3) Validate/sanitize request args

Define args with type, default, required, validate_callback, sanitize_callback.
Prefer JSON Schema validation with rest_validate_value_from_schema then rest_sanitize_value_from_schema.
Never read $_GET/$_POST directly inside endpoints; use WP_REST_Request.

Read references/schema.md.

4) Responses, fields, and links

Do not remove core fields from default endpoints; add fields instead.
Use register_rest_field for computed fields; register_meta with show_in_rest for meta.
For object/array meta, define schema in show_in_rest.schema.
If you need unfiltered post content (e.g., ToC plugins injecting HTML), request ?context=edit to access content.raw (auth required). Pair with _fields=content.raw to keep responses small.
Add related resource links via WP_REST_Response::add_link().

Read references/responses-and-fields.md.

5) Authentication and authorization

For wp-admin/JS: cookie auth + X-WP-Nonce (action wp_rest).
For external clients: application passwords (basic auth) or an auth plugin.
Use capability checks in permission_callback (authorization), not just “logged in”.

Read references/authentication.md.

6) Client-facing behavior (discovery, pagination, embeds)

Ensure discovery works (Link header or <link rel="https://api.w.org/">).
Support _fields, _embed, _method, _envelope, pagination headers.
Remember per_page is capped at 100.

Read references/discovery-and-params.md.

Verification

/wp-json/ index includes your namespace.
OPTIONS on your route returns schema (when provided).
Endpoint returns expected data; permission failures return 401/403 as appropriate.
CPT/taxonomy routes appear under wp/v2 when show_in_rest is true.
Run repo lint/tests and any PHP/JS build steps.

Failure modes / debugging

404: rest_api_init not firing, route typo, or permalinks off (use ?rest_route=).
401/403: missing nonce/auth, or permission_callback too strict.
_doing_it_wrong for missing permission_callback: add it (use __return_true if public).
Invalid params: missing/incorrect args schema or validation callbacks.
Fields missing: show_in_rest false, meta not registered, or CPT lacks custom-fields support.

Escalation

If version support or behavior is unclear, consult the REST API Handbook and core docs before inventing patterns.

Discussion

Product Hunt–style comments (not star reviews)

No comments yet — start the thread.

general reviews

Ratings

4.6★★★★★49 reviews

★★★★★Pratham Ware· Dec 28, 2024
wp-rest-api has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Li Kim· Dec 20, 2024
We added wp-rest-api from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Li Chen· Dec 12, 2024
Useful defaults in wp-rest-api — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Arjun Mensah· Dec 4, 2024
wp-rest-api fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
★★★★★Ira Shah· Dec 4, 2024
Registry listing for wp-rest-api matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★Chen Gupta· Nov 23, 2024
I recommend wp-rest-api for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Evelyn Anderson· Nov 23, 2024
wp-rest-api reduced setup friction for our internal harness; good balance of opinion and flexibility.
★★★★★Yash Thakker· Nov 19, 2024
Solid pick for teams standardizing on skills: wp-rest-api is focused, and the summary matches what you get after install.
★★★★★Arjun Okafor· Nov 19, 2024
wp-rest-api is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
★★★★★Arjun Sanchez· Nov 11, 2024
Keeps context tight: wp-rest-api is the kind of skill you can hand to a new teammate without a long onboarding doc.

showing 1-10 of 49

1 / 5