V2 version of the REST API uses HTTP Basic Auth in secure HTTPS connections
How to generate REST API credentials?
To use API v2 you need to generate the “Client key” and “Client secret” key pair.
To create this key pair you need to go to the Newsletter> API addon management panel and click the ‘Create Key’ button.
In the next screen, add the description, select the WordPress user you would like to associate the keys for and select which permissions to associate with the key.
The permissions can be read, write or read and write and based on the chosen permission some endpoints may (or may not) be used. With the read permission you can access to all data display endpoints (GET requests) while with the write permission access you can handle data insertion, modification and deletion (with POST / PUT / PATCH requests). Attention! it is important to associate the key to a user with the role that allows him to administer the newsletter plugin . Once this information has been entered, click the “Save” button.
The keys are generated and you will be able to see them.
Save a copy of the two keys in a safe place and use to authenticate calls.
You must use HTTP Basic Auth authentication by providing “Client Key” as username and “Client Secret” as password in an HTTPS connection.
Authentication error
In some servers/hosting it may happen that the authorization header is not passed to PHP and the call will fail returning a 401 “newsletter_rest_authentication_error” error.
In these cases you can solve the problem in 2 ways:
- modify the .htaccess file by adding this rule
SetEnvIf Authorization “(.*)” HTTP_AUTHORIZATION=$1
(Please backup .htaccess file before editing!!!) - or provide the client key/secret as query string parameters instead. Example =>
https://yoursite.org/wp-json/newsletter/v2/subscribers?client_key=XXXX&client_secret=XXXX
I want to test the API on localhost without HTTPS
To test the API on server without HTTPS protocol add this code in the wp-config.php file:define ('NEWSLETTER_REST_ALLOW_NON_HTTPS_REQUEST', true);
Please note that this change will allow API calls without HTTPS, so the security keys will not be encrypted from client to server.