Title: Authenticate via javascript fetch for REST API
Last modified: October 9, 2018
---
# Authenticate via javascript fetch for REST API
* [atomicadam](https://wordpress.org/support/users/atomicadam/)
* (@atomicadam)
* [7 years, 8 months ago](https://wordpress.org/support/topic/authenticate-via-javascript-fetch-for-rest-api/)
* Any suggestions on how to authenticate the login via a fetch request. I have
tried the Authenticate header, along with setting the standard access-control-
allow-origin header on the server, but no luck getting to the /wp-json/wp/v2/
endpoints.
* Basic authentication via curl is working fine, _$ curl –user user:password /wp-
json/_ but not able to get it via browser based fetch request which is at a different
domain than the WordPress site.
- This topic was modified 7 years, 8 months ago by [atomicadam](https://wordpress.org/support/users/atomicadam/).
Viewing 7 replies - 1 through 7 (of 7 total)
* Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/)
* (@kevinvess)
* [7 years, 8 months ago](https://wordpress.org/support/topic/authenticate-via-javascript-fetch-for-rest-api/#post-10765616)
* Hi– thanks for using Force Login!
* Just to confirm, does your JS fetch request work when Force Login is deactivated?
* If authentication via curl is working, maybe you could try AJAX calls to your
curl request?
* Or– check out this thread for some alternative options to authenticate the WP
REST API on your WordPress site running Force Login:
[https://wordpress.org/support/topic/jwt-authentication/](https://wordpress.org/support/topic/jwt-authentication/)
* Thread Starter [atomicadam](https://wordpress.org/support/users/atomicadam/)
* (@atomicadam)
* [7 years, 8 months ago](https://wordpress.org/support/topic/authenticate-via-javascript-fetch-for-rest-api/#post-10765637)
* Hi Kevin – Thanks for writing the plugin.
* Yes, the fetch request works fine when the plugin is turned off.
* Also the same request via curl works fine. So this is most likely a CORS issues
and am just hoping you might have tried this yourself.
* The fetch request looks something like this
* ```
fetch(endpoint, {
headers: new Headers {
'Authenticate': 'Basic user:password'
},
redirect: 'follow'
})
.then(res => res.json())
.then(json => console.log(json));
```
* Looking at the fetch documentation, I am now seeing I didn’t set a mode key value,
I will try that. Will also follow up with more specific error messages.
- This reply was modified 7 years, 8 months ago by [atomicadam](https://wordpress.org/support/users/atomicadam/).
* Thread Starter [atomicadam](https://wordpress.org/support/users/atomicadam/)
* (@atomicadam)
* [7 years, 8 months ago](https://wordpress.org/support/topic/authenticate-via-javascript-fetch-for-rest-api/#post-10765975)
* Most likely this is just server setup. If I can get it working I’ll post.
* Thread Starter [atomicadam](https://wordpress.org/support/users/atomicadam/)
* (@atomicadam)
* [7 years, 8 months ago](https://wordpress.org/support/topic/authenticate-via-javascript-fetch-for-rest-api/#post-10769682)
* I was able to resolve this – though I’m not sure I’m 100% happy with always returning
200 on a OPTIONS request (the redirect to readme.html will return a 200 in the
OPTIONS preflight request). But here is the fetch request and .htaccess setup
that works with Force Login turned on.
* ```
fetch(endpoint, {
headers: new Headers({
'Authorization': 'Basic ' + Buffer.from('user:pass').toString('base64'),
'Content-Type': 'application/json; charset=utf-8'
}),
credentials: 'include',
mode: 'cors',
method: 'GET',
redirect: 'follow'
})
.then(res => res.json())
.then(json => console.log(json))
```
* and
* ```
Header unset Access-Control-Allow-Origin
Header always set Access-Control-Allow-Origin "http://localhost:3000"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, PUT, DELETE"
Header always set Access-Control-Allow-Headers "Origin,Content-Type,Accept,Authorization,X-Requested-With"
Header unset Access-Control-Allow-Credentials
Header always set Access-Control-Allow-Credentials true
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ readme.html [QSA,L]
AuthType Basic
AuthName "API Service"
AuthUserFile .htpasswd
Require valid-user
```
* I have not tried this with pretty URL rewrites – yet – so the endpoint looks
like: [http://api.site.com/?rest_route=/wp/v2/pages/2/](http://api.site.com/?rest_route=/wp/v2/pages/2/)
- This reply was modified 7 years, 8 months ago by [atomicadam](https://wordpress.org/support/users/atomicadam/).
- This reply was modified 7 years, 8 months ago by [atomicadam](https://wordpress.org/support/users/atomicadam/).
- This reply was modified 7 years, 8 months ago by [atomicadam](https://wordpress.org/support/users/atomicadam/).
* Thread Starter [atomicadam](https://wordpress.org/support/users/atomicadam/)
* (@atomicadam)
* [7 years, 8 months ago](https://wordpress.org/support/topic/authenticate-via-javascript-fetch-for-rest-api/#post-10770489)
* actually this only works due to being logged into the WP admin so the fetch is
sending along the cookies to authenticate. logging in to WP w/ only browser JS
from another domain does not seem possible.
* Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/)
* (@kevinvess)
* [7 years, 8 months ago](https://wordpress.org/support/topic/authenticate-via-javascript-fetch-for-rest-api/#post-10771084)
* Hi– thanks for all your effort and detailed examples into finding a solution.
* Force Login restricts access to the REST API for authorized users only. You said
your fetch request works when Force Login is deactivated.
* Have you tried one of the following code snippets to allow the WP REST API to
be publicly accessible again?
* ```
add_filter( 'rest_authentication_errors', '__return_true' );
```
* Or
* ```
remove_filter( 'rest_authentication_errors', 'v_forcelogin_rest_access', 99 );
```
* Thread Starter [atomicadam](https://wordpress.org/support/users/atomicadam/)
* (@atomicadam)
* [7 years, 8 months ago](https://wordpress.org/support/topic/authenticate-via-javascript-fetch-for-rest-api/#post-10775524)
* Thanks Kevin. I think with your plugin and an .htpasswd file at the server level,
one can put in a basic authentication gateway for a detached front end. But I
think for more secure connections one needs to use the API OAuth, which seems
fine for user apps, but for just delivering content to a detached front end I’m
thinking of just making an Express server that connects directly to the WordPress
MySQL server to read data.
Viewing 7 replies - 1 through 7 (of 7 total)
The topic ‘Authenticate via javascript fetch for REST API’ is closed to new replies.
* 
* [Force Login](https://wordpress.org/plugins/wp-force-login/)
* [Frequently Asked Questions](https://wordpress.org/plugins/wp-force-login/#faq)
* [Support Threads](https://wordpress.org/support/plugin/wp-force-login/)
* [Active Topics](https://wordpress.org/support/plugin/wp-force-login/active/)
* [Unresolved Topics](https://wordpress.org/support/plugin/wp-force-login/unresolved/)
* [Reviews](https://wordpress.org/support/plugin/wp-force-login/reviews/)
## Tags
* [rest](https://wordpress.org/support/topic-tag/rest/)
* 7 replies
* 2 participants
* Last reply from: [atomicadam](https://wordpress.org/support/users/atomicadam/)
* Last activity: [7 years, 8 months ago](https://wordpress.org/support/topic/authenticate-via-javascript-fetch-for-rest-api/#post-10775524)
* Status: not a support question