WP-API Lovers, it’s been too long…

Hi everybody, remember us? After a long downtime between actual posts, we figured it was time to clue you in on what’s been happening in the wonderful world of the REST API. Here’s our recap of the goings on.

Version 1.2

The astute among you will have noticed we recently released version 1.2 of the API. If you’re not using it already, you’re missing out on Cross-Origin Resource Sharing (CORS) support, new actions and filters to support hijacking requests (for things like caching), and a tonne of bug fixes. Our thanks go out to all 29 (!!!) contributors to this release, and to Brian Krogsgard for our fantastic new plugin header.


It’s also with a little bit of sadness and a lot of excitement that we announce 1.2 will be the final major release for the 1.x branch. While version 1 has served us well, it’s time to move on to better things and prepare the project for core integration. Version 2 is well underway, and we’re hoping to have a beta out in the next month or so.

Version 1.9?

As @rachelbaker mentioned in the release post for 1.2, there’ll actually be another almost-release on the 1.x branch. From the start of the project, I’ve always pledged compatibility with whatever goes in to core. Our almost-release will be a final-final release on the v1 branch, with no new features or bug fixes, but instead removing the internals of the version 1 code and hooking them up to version 2.

This will allow existing code to work essentially forever into the future, using the version 1 interface around the version 2 implementation. Bug fixes on version 2 should then also be carried down to the version 1 code.

I’ve taken to calling this shim Version 1.9, although it may not end up as that in the end. Whatever the case, this won’t be counted as a full version 1 release, as it will only be a wrapper around version 2. We do, however, plan to have full backwards compatibility as with every other release.

Version 2

Version 2 is under pretty heavy development right now. For those not familiar, this is the non-backwards-compatible edition of the API intended specifically for core integration. Version 2 is unlikely to ever have a full standalone release, however we’re planning on releasing betas on the lead up to core merge.

Note that while version 2 isn’t backwards compatible with version 1, it is an iteration on v1, so the API will be both inwardly and outwardly familiar to anyone using v1. We’re following a policy of not changing things purely for the sake of it, so the eventual version will be easy to adapt to for anyone using it now.

So far, our core focus has been around two key elements: extensibility, and consistency. We’ve refactored and rearchitectured a fair chunk of the core endpoints to make them more easily reusable, as well as ensuring that our core endpoints all follow a similar structure to make them easier to learn. As part of this, we’ve also introduced better support for common tasks like checking permissions, as well as changing the way endpoints interface with the infrastructure. One key change is that endpoints now receive only a single Request object parameter (modeled after PSR-7, for those keeping count). This means that parameter registration has moved out of the function signature and up to the endpoint registration instead.

We’re also working on making requests and responses consistent across the board, including swapping our dodgy filter parameters out for better supported querying. Fields are being renamed across the board (albeit not without careful consideration first) to make it easier to learn and use the API, as well as helping clients be more robust. Internal linking is also changing to match the HAL specification, along with support for “embedding” related requests. This is designed to help mobile clients and similar avoid excessive round-trips, but does come with the cost of larger response bodies, but we’ve made this up to client authors to decide and calculate the tradeoffs.


API meetings now take place twice a week on Mondays at 23:00 UTC and Wednesdays at 23:00 UTC in the #core-restapi channel on the WordPress Slack. Our format is similar to the WordPress core meetings, with each meeting lasting up to an hour.

We also occasionally replace these meetings with voice and video meetings on Google Hangouts, depending on availability and agenda. In these cases, we’ll post the hangout link in the channel at the start of the hour. Everyone is welcome to join and listen in or participate, but please appreciate the limited amount of time and energy we have for these meetings.


Thank you again to all the wonderful people who make this API possible, including but not limited to the amigos (Rachel, Daniel, and Joe), our core team minders (Gary, Dion, and nacin, among others), lovable lurkers (Demitrious), everyone speaking about the API (I don’t know how Jack Lenox gets anything else done), our wonderful publicists journalists (Brian and Sarah), and everyone else. And you, especially you. ❤

We’re also opening this comment thread for any thoughts, feedback, feelings, or otherwise that you’d like to post. If there’s something you want to tell us or talk about, here’s the opportunity to do so.


Hey everyone! Quick heads up…

Hey everyone! Quick heads up on some of the work that’s been going on this week:

  • The CLI client is now functional – The readme runs through how to connect WP-CLI to your site and get started. Currently, it only contains user and post reading functionality, however post creation/editing/deletion can be achieved relatively easy! This is more a question of time; building out the remaining functionality should be relatively painless. Volunteers welcome, as always!
  • Post endpoint testing is getting filled out@rachelbaker and I have been working on getting these up, with the aim of 100% coverage of the post endpoint code. We’re slowly getting there! Reminder that we can always use help with writing tests, as there’s plenty to tackle here.
  • JS client is getting filled out – Thanks to Taylor Lovett, Matthew Haines-Young and K. Adam White for a huge push on the JS client recently. This client is significantly better than the version in 1.0 thanks to the tireless effort from these folks; that said, contributors are always welcome.
  • BuddyPress now has an API plugin – modemlooper has created a plugin that adds API endpoints for BuddyPress. Take a look if you’re interested in using BuddyPress data!
  • Pods now has an API plugin – Scott Kingsley Clark has created a plugin that adds API endpoints for Pods. Check it out!
  • I also threw up a quick doc site using Flatdoc with our existing route documentation. This doesn’t include our guides or the rest of our documentation, but is a cool start anyway!

(Worth noting, since I don’t think I did previously: the WooCommerce API was built from a previous version of the API. Also worth taking a look at.)


1.0 is out! Thanks to…

1.0 is out! Thanks to everyone who helped out with this release and made it the best so far.

That said, progress never halts! We’re working on 1.1 now, and there’s already a heap of issues open. We need to start on a huge documentation and testing push, which @rachelbaker has already started on.

We’ll also have the normal office hours this week; hope to see you there!

Draft Core Integration Plan

I’ve published the initial draft of the core integration plan for the API on GitHub. It covers motivation behind the API, rationale for the current design, and concerns of the integration itself. Feedback extremely welcome.

I’ll also be around for regular office hours in 12 hours.

Also, before I forget about…

Also, before I forget about it: office hours in 9.5 hours. 🙂

Weekly meeting in 10 hours;…

Weekly meeting in 10 hours; we’ll discuss remaining items for 1.0, the current and future authentication system, and post meta.

Changes Coming in 1.0

We’re getting close to release for 1.0, so a quick heads up on some breaking changes that’ll be shipping with this release:

We’ve also got some awesome features shipping with this release:

Thanks to everyone involved so far, and thanks to @rachelbaker for helping to manage the project! Thanks also to those who’ve been talking about and promoting the API at WordCamps; the evangelism is much appreciated!

We’re not done with this release yet: there’s also post meta on the radar that should make it into 1.0; you’ll be hearing more about that shortly.

I also know there’s people who’d love to get involved with the project. Your best bet is to take a look at the issues scheduled for 1.1. In particular, we’re looking for help in the following areas:

  • Javascript and theme developers: We have a JS library currently included with the API, but it’s in danger of not making it into the final version unless we put some serious work into it. Help is needed here; contributions always welcome!
  • WP-CLI developers: As a reference client for the API, Daniel Bachhuber is planning on working on a WP-CLI client. Help will definitely be wanted in this area, as there’s a lot of the API to use here.
  • Other developers: Help is always wanted on the API itself, but of special interest is the OAuth server code, which needs more testing. We also need more reference clients. If you can code in any language, we’d love your help creating clients in other languages.
  • Designers: The OAuth server currently contains a thrown-together UI, which certainly doesn’t match the slickness of WP.com’s UI. We could use help here.

Thanks again!

No meeting this week, due…

No meeting this week, due to Easter holidays, however I’ll be around for office hours on Friday, 0:00 UTC instead.

I’ve published the OAuth server…

I’ve published the OAuth server work so far. This is probably broken, but that’s OK, because at least it’s a start. 🙂

Of particular note is the specification, which I’d appreciate thoughts on. This is intentionally kept as simple as possible, since it’s mostly standard OAuth 1.0a.

I’d especially love feedback on the scopes section of the document. I think this lays out a general set of scopes that cover most use cases, and anything that needs more complicated permissions can fall back to the general * permission. I’m not sure yet whether defaulting to * is the right idea; we may want to default to read instead.