Skip to content
HeadlessWP Pro

Nonce

id: core-nonce-get owner: core method: GET path: /wp-json/headlesswp/v1/nonce title: Nonce usedBySite: true

GET /wp-json/headlesswp/v1/nonce

Fetch a WordPress REST nonce for CSRF protection. If a cookie session is present, the response also includes the current user payload.

Auth + CSRF

  • Auth: public (cookie-based session optional)
  • Proxy nonce required: no.
  • CSRF: exempt at the proxy boundary (HWP nonce policy: never)

Request schema

No request body.

Response schema

{
  "data": {
    "nonce": "string",
    "headerName": "X-WP-Nonce",
    "userLoggedIn": true,
    "userId": 123,
    "user": {
      "id": 123,
      "email": "person@example.com",
      "displayName": "Person Name",
      "roles": ["subscriber"],
      "createdAt": "2024-01-01T00:00:00Z"
    }
  },
  "meta": {
    "correlationId": "string-or-null",
    "correlation_id": "string-or-null",
    "request_id": "string-or-null",
    "timestamp": "2024-01-01T00:00:00Z"
  }
}

When logged out, userLoggedIn is false, userId is omitted, and user is null.

Error codes

No custom error codes are declared for this endpoint in the fixtures. Treat non-200 responses as standard REST errors.

Example (logged out)

{
  "data": {
    "nonce": "df1b8d2d2c",
    "headerName": "X-WP-Nonce",
    "userLoggedIn": false,
    "user": null
  },
  "meta": {
    "correlationId": "0c1e9d0b-cc00-4c8a-9d3f-5c0b6ad1772c",
    "correlation_id": "0c1e9d0b-cc00-4c8a-9d3f-5c0b6ad1772c",
    "request_id": "0c1e9d0b-cc00-4c8a-9d3f-5c0b6ad1772c",
    "timestamp": "2024-01-01T00:00:00Z"
  }
}