wp-rest-api
Use when building, extending, or debugging WordPress REST API endpoints/routes: register_rest_route, WP_REST_Controller/controller classes, schema/argument validation, permission_callback/authentication, response shaping, register_rest_field/register_meta, or exposing CPTs/taxonomies via show_in_rest.
Best use case
wp-rest-api is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when building, extending, or debugging WordPress REST API endpoints/routes: register_rest_route, WP_REST_Controller/controller classes, schema/argument validation, permission_callback/authentication, response shaping, register_rest_field/register_meta, or exposing CPTs/taxonomies via show_in_rest.
Teams using wp-rest-api should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/wp-rest-api/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How wp-rest-api Compares
| Feature / Agent | wp-rest-api | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when building, extending, or debugging WordPress REST API endpoints/routes: register_rest_route, WP_REST_Controller/controller classes, schema/argument validation, permission_callback/authentication, response shaping, register_rest_field/register_meta, or exposing CPTs/taxonomies via show_in_rest.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# WP REST API ## When to use Use this skill when you need to: - create or update REST routes/endpoints - debug 401/403/404 errors or permission/nonce issues - add custom fields/meta to REST responses - expose custom post types or taxonomies via REST - implement schema + argument validation - adjust response links/embedding/pagination ## Inputs required - Repo root + target plugin/theme/mu-plugin (path to entrypoint). - Desired namespace + version (e.g. `my-plugin/v1`) and routes. - Authentication mode (cookie + nonce vs application passwords vs auth plugin). - Target WordPress version constraints (if below 6.9, call out). ## Procedure ### 0) Triage and locate REST usage 1. Run triage: - `node skills/wp-project-triage/scripts/detect_wp_project.mjs` 2. Search for existing REST usage: - `register_rest_route` - `WP_REST_Controller` - `rest_api_init` - `show_in_rest`, `rest_base`, `rest_controller_class` If this is a full site repo, pick the specific plugin/theme before changing code. ### 1) Choose the right approach - **Expose CPT/taxonomy in `wp/v2`:** - Use `show_in_rest => true` + `rest_base` if needed. - Optionally provide `rest_controller_class`. - Read `references/custom-content-types.md`. - **Custom endpoints:** - Use `register_rest_route()` on `rest_api_init`. - Prefer a controller class (`WP_REST_Controller` subclass) for anything non-trivial. - Read `references/routes-and-endpoints.md` and `references/schema.md`. ### 2) Register routes safely (namespaces, methods, permissions) - Use a unique namespace `vendor/v1`; avoid `wp/*` unless core. - Always provide `permission_callback` (use `__return_true` for public endpoints). - Use `WP_REST_Server::READABLE/CREATABLE/EDITABLE/DELETABLE` constants. - Return data via `rest_ensure_response()` or `WP_REST_Response`. - Return errors via `WP_Error` with an explicit `status`. Read `references/routes-and-endpoints.md`. ### 3) Validate/sanitize request args - Define `args` with `type`, `default`, `required`, `validate_callback`, `sanitize_callback`. - Prefer JSON Schema validation with `rest_validate_value_from_schema` then `rest_sanitize_value_from_schema`. - Never read `$_GET`/`$_POST` directly inside endpoints; use `WP_REST_Request`. Read `references/schema.md`. ### 4) Responses, fields, and links - Do **not** remove core fields from default endpoints; add fields instead. - Use `register_rest_field` for computed fields; `register_meta` with `show_in_rest` for meta. - For `object`/`array` meta, define schema in `show_in_rest.schema`. - If you need unfiltered post content (e.g., ToC plugins injecting HTML), request `?context=edit` to access `content.raw` (auth required). Pair with `_fields=content.raw` to keep responses small. - Add related resource links via `WP_REST_Response::add_link()`. Read `references/responses-and-fields.md`. ### 5) Authentication and authorization - For wp-admin/JS: cookie auth + `X-WP-Nonce` (action `wp_rest`). - For external clients: application passwords (basic auth) or an auth plugin. - Use capability checks in `permission_callback` (authorization), not just “logged in”. Read `references/authentication.md`. ### 6) Client-facing behavior (discovery, pagination, embeds) - Ensure discovery works (`Link` header or `<link rel="https://api.w.org/">`). - Support `_fields`, `_embed`, `_method`, `_envelope`, pagination headers. - Remember `per_page` is capped at 100. Read `references/discovery-and-params.md`. ## Verification - `/wp-json/` index includes your namespace. - `OPTIONS` on your route returns schema (when provided). - Endpoint returns expected data; permission failures return 401/403 as appropriate. - CPT/taxonomy routes appear under `wp/v2` when `show_in_rest` is true. - Run repo lint/tests and any PHP/JS build steps. ## Failure modes / debugging - 404: `rest_api_init` not firing, route typo, or permalinks off (use `?rest_route=`). - 401/403: missing nonce/auth, or `permission_callback` too strict. - `_doing_it_wrong` for missing `permission_callback`: add it (use `__return_true` if public). - Invalid params: missing/incorrect `args` schema or validation callbacks. - Fields missing: `show_in_rest` false, meta not registered, or CPT lacks `custom-fields` support. ## Escalation If version support or behavior is unclear, consult the REST API Handbook and core docs before inventing patterns.
Related Skills
wpds
Use when building UIs leveraging the WordPress Design System (WPDS) and its components, tokens, patterns, etc.
wp-wpcli-and-ops
Use when working with WP-CLI (wp) for WordPress operations: safe search-replace, db export/import, plugin/theme/user/content management, cron, cache flushing, multisite, and scripting/automation with wp-cli.yml.
wp-project-triage
Use when you need a deterministic inspection of a WordPress repository (plugin/theme/block theme/WP core/Gutenberg/full site) including tooling/tests/version hints, and a structured JSON report to guide workflows and guardrails.
wp-plugin-development
Use when developing WordPress plugins: architecture and hooks, activation/deactivation/uninstall, admin UI and Settings API, data storage, cron/tasks, security (nonces/capabilities/sanitization/escaping), and release packaging.
wp-playground
Use for WordPress Playground workflows: fast disposable WP instances in the browser or locally via @wp-playground/cli (server, run-blueprint, build-snapshot), auto-mounting plugins/themes, switching WP/PHP versions, blueprints, and debugging (Xdebug).
wp-phpstan
Use when configuring, running, or fixing PHPStan static analysis in WordPress projects (plugins/themes/sites): phpstan.neon setup, baselines, WordPress-specific typing, and handling third-party plugin classes.
wp-performance
Use when investigating or improving WordPress performance (backend-only agent): profiling and measurement (WP-CLI profile/doctor, Server-Timing, Query Monitor via REST headers), database/query optimization, autoloaded options, object caching, cron, HTTP API calls, and safe verification.
wp-interactivity-api
Use when building or debugging WordPress Interactivity API features (data-wp-* directives, @wordpress/interactivity store/state/actions, block viewScriptModule integration, wp_interactivity_*()) including performance, hydration, and directive behavior.
wp-block-themes
Use when developing WordPress block themes: theme.json (global settings/styles), templates and template parts, patterns, style variations, and Site Editor troubleshooting (style hierarchy, overrides, caching).
wp-block-development
Use when developing WordPress (Gutenberg) blocks: block.json metadata, register_block_type(_from_metadata), attributes/serialization, supports, dynamic rendering (render.php/render_callback), deprecations/migrations, viewScript vs viewScriptModule, and @wordpress/scripts/@wordpress/create-block build and test workflows.
wp-abilities-api
Use when working with the WordPress Abilities API (wp_register_ability, wp_register_ability_category, /wp-json/wp-abilities/v1/*, @wordpress/abilities) including defining abilities, categories, meta, REST exposure, and permissions checks for clients.
wordpress-woocommerce-dev
資深 WordPress 與 WooCommerce PHP 開發專家(Miyoshi)。精通 WordPress Plugin/Theme 架構、WooCommerce 擴充開發、PHP 8.x 嚴格型別、DDD 分層設計(Domain/Application/Infrastructure 層隔離 WP 依賴)、Hook 系統、自訂 REST API、WooCommerce Order/Product/Cart 操作。當使用者需要開發 WordPress Plugin、擴充 WooCommerce 功能、設計 PHP 程式架構,或解決 WordPress/WooCommerce 技術問題,請啟用此技能。