How to install wp-rest-api
npx skills add https://github.com/wordpress/agent-skills --skill wp-rest-apiFull instructions (SKILL.md)
Source of truth, from wordpress/agent-skills.
name: wp-rest-api description: "Use when building, extending, or debugging WordPress REST API endpoints/routes: register_rest_route, WP_REST_Controller/controller classes, schema/argument validation, permission_callback/authentication, response shaping, register_rest_field/register_meta, or exposing CPTs/taxonomies via show_in_rest." compatibility: "Targets WordPress 6.9+ (PHP 7.2.24+). Filesystem-based agent with bash + node. Some workflows require WP-CLI."
WP REST API
When to use
Use this skill when you need to:
- create or update REST routes/endpoints
- debug 401/403/404 errors or permission/nonce issues
- add custom fields/meta to REST responses
- expose custom post types or taxonomies via REST
- implement schema + argument validation
- adjust response links/embedding/pagination
Inputs required
- Repo root + target plugin/theme/mu-plugin (path to entrypoint).
- Desired namespace + version (e.g.
my-plugin/v1) and routes. - Authentication mode (cookie + nonce vs application passwords vs auth plugin).
- Target WordPress version constraints (if below 6.9, call out).
Procedure
0) Triage and locate REST usage
- Run triage:
node skills/wp-project-triage/scripts/detect_wp_project.mjs
- Search for existing REST usage:
register_rest_routeWP_REST_Controllerrest_api_initshow_in_rest,rest_base,rest_controller_class
If this is a full site repo, pick the specific plugin/theme before changing code.
1) Choose the right approach
- Expose CPT/taxonomy in
wp/v2:- Use
show_in_rest => true+rest_baseif needed. - Optionally provide
rest_controller_class. - Read
references/custom-content-types.md.
- Use
- Custom endpoints:
- Use
register_rest_route()onrest_api_init. - Prefer a controller class (
WP_REST_Controllersubclass) for anything non-trivial. - Read
references/routes-and-endpoints.mdandreferences/schema.md.
- Use
2) Register routes safely (namespaces, methods, permissions)
- Use a unique namespace
vendor/v1; avoidwp/*unless core. - Always provide
permission_callback(use__return_truefor public endpoints). - Use
WP_REST_Server::READABLE/CREATABLE/EDITABLE/DELETABLEconstants. - Return data via
rest_ensure_response()orWP_REST_Response. - Return errors via
WP_Errorwith an explicitstatus.
Read references/routes-and-endpoints.md.
3) Validate/sanitize request args
- Define
argswithtype,default,required,validate_callback,sanitize_callback. - Prefer JSON Schema validation with
rest_validate_value_from_schemathenrest_sanitize_value_from_schema. - Never read
$_GET/$_POSTdirectly inside endpoints; useWP_REST_Request.
Read references/schema.md.
4) Responses, fields, and links
- Do not remove core fields from default endpoints; add fields instead.
- Use
register_rest_fieldfor computed fields;register_metawithshow_in_restfor meta. - For
object/arraymeta, define schema inshow_in_rest.schema. - If you need unfiltered post content (e.g., ToC plugins injecting HTML), request
?context=editto accesscontent.raw(auth required). Pair with_fields=content.rawto keep responses small. - Add related resource links via
WP_REST_Response::add_link().
Read references/responses-and-fields.md.
5) Authentication and authorization
- For wp-admin/JS: cookie auth +
X-WP-Nonce(actionwp_rest). - For external clients: application passwords (basic auth) or an auth plugin.
- Use capability checks in
permission_callback(authorization), not just “logged in”.
Read references/authentication.md.
6) Client-facing behavior (discovery, pagination, embeds)
- Ensure discovery works (
Linkheader or<link rel="https://api.w.org/">). - Support
_fields,_embed,_method,_envelope, pagination headers. - Remember
per_pageis capped at 100.
Read references/discovery-and-params.md.
Verification
/wp-json/index includes your namespace.OPTIONSon your route returns schema (when provided).- Endpoint returns expected data; permission failures return 401/403 as appropriate.
- CPT/taxonomy routes appear under
wp/v2whenshow_in_restis true. - Run repo lint/tests and any PHP/JS build steps.
Failure modes / debugging
- 404:
rest_api_initnot firing, route typo, or permalinks off (use?rest_route=). - 401/403: missing nonce/auth, or
permission_callbacktoo strict. _doing_it_wrongfor missingpermission_callback: add it (use__return_trueif public).- Invalid params: missing/incorrect
argsschema or validation callbacks. - Fields missing:
show_in_restfalse, meta not registered, or CPT lackscustom-fieldssupport.
Escalation
If version support or behavior is unclear, consult the REST API Handbook and core docs before inventing patterns.
Related skills
More from wordpress/agent-skills and the wider catalog.
wp-plugin-development
Use when developing WordPress plugins: architecture and hooks, activation/deactivation/uninstall, admin UI and Settings API, data storage, cron/tasks, security (nonces/capabilities/sanitization/escaping), and release packaging.
wp-block-themes
Use when developing WordPress block themes: theme.json (global settings/styles), templates and template parts, patterns, style variations, and Site Editor troubleshooting (style hierarchy, overrides, caching).
wp-performance
Use when investigating or improving WordPress performance (backend-only agent): profiling and measurement (WP-CLI profile/doctor, Server-Timing, Query Monitor via REST headers), database/query optimization, autoloaded options, object caching, cron, HTTP API calls, and safe verification.
wp-block-development
Use when developing WordPress (Gutenberg) blocks: block.json metadata, register_block_type(_from_metadata), attributes/serialization, supports, dynamic rendering (render.php/render_callback), deprecations/migrations, viewScript vs viewScriptModule, and @wordpress/scripts/@wordpress/create-block build and test workflows.
wordpress-router
Use when the user asks about WordPress codebases (plugins, themes, block themes, Gutenberg blocks, WP core checkouts) and you need to quickly classify the repo and route to the correct workflow/skill (blocks, theme.json, REST API, WP-CLI, performance, security, testing, release packaging).
wp-project-triage
Use when you need a deterministic inspection of a WordPress repository (plugin/theme/block theme/WP core/Gutenberg/full site) including tooling/tests/version hints, and a structured JSON report to guide workflows and guardrails.