Nuget Wordpress REST API – Authentication

wordpress_logo[1]I use as my blog platform.  It hosts the Wordpress CMS software and adds a few goodies.

I was curious about their API after noticing that my Blog App (Windows Live Writer) tended to create duplicate of pictures, leaving lots of unused assets in my Media library.  This really is a personal pet peeve since I’m still at less than %5 of my asset quota after 5 years.

There happens to be two APIs in  The old XML RPC API, used by Windows Live Writer actually, and the new REST API.

The new API is what people would call a modern API:  its authentication is OAuth based, it is RESTful and has JSON payloads.

Surprisingly there didn’t seem to be any .NET client for it.  So I thought…  why not build one?

Enters Wordpress REST API Nuget package.  So far, I’ve implemented the authentication, a get-user and a part of a search-post.

For the search-post, I took the not-so-easy-path of implementing a IQueryable<T> adapter in order to expose the Post API as a Linq interface.  I’ll write about that but for an heads-up:  not trivial, but it works and is convenient for the client.

I will release the source code soon, but for the moment you can definitely access the Nuget package.

You can trial the client on a site I’m assembling on  I do not do web-UI so the look-and-feel is non-existing Winking smile

Here I’ll give a quick how-to using the client.

Authentication has the concept of application.  If you’re steep in Claim based authentication, this is what is typically referred to as a relying party.  It is also equivalent to an application in Azure Active Directory.

You setup application in  The three key information you need in order to get a user to authorize your application to access are:

  1. Client ID:  provided by, the identifier of your application
  2. Client Secret:  also provided by, a secret it expects you to pass around
  3. Redirect URL:  provided by you, where Wordpress will send the user back after consent is given

Here is the authorization flow:


# Description
1 The user clicks on a ‘sign in’ link from your web site.
2 Your web redirect the user’s browser to a site passing the client-ID of your application and the return-url you’ve configured.  The URL will be:<your value>;redirect_uri=<your value>;response_type=code
3 Assuming the user consent for your application to use, the user’s browser is redirected to the Redirect URL you provided to  In the query string, your application is given a code.  This code is temporary and unique to that transaction.
4 Your application can now contact directly (without the browser) the API to complete the transaction.  You POST a request to You need to post the code, the client-ID and other arguments.
5 The API returns you a token you can use for future requests.
6 For any future request to the API, you pass the token in the HTTP request.

Now, this is all encapsulated in the Wordpress REST API Nuget package.  You still need to do a bit of work to orchestrate calls.

The link to the authorization page you need to redirect the end-user to can be given by:

static string WordpressClient.GetUserAuthorizeUrl(string appClientID, string returnUrl)

You pass the client-ID of your application and its return-url and the method returns you the URL you need to redirect to user to (step 2).

Then on the return-url page, you need to take the code query string parameter and call

static Task<WordpressClient> WordpressClient.GetTokenAsync(string clientID, string clientSecret, string redirectURL, string code)

This method is async.  All methods interacting with Wordpress API are async.  The method returns you an instance of the WordpressClient class.  This is the gateway class for all APIs.

That was step 4 & 5 basically.

Rehydrating a Wordpress Client between requests

That is all nice and well until your user comes back.  You do not want them to authorize your application at every request.

The typical solution is to persist the token in the user’s cookies so that at each request you can recreate a WordpressClient object.

For that you can access the token information in

TokenInfo WordpressClient.Token { get; }

When you want to recreate a WordpressClient, simply use its constructor:

WordpressClient(TokenInfo token)

Getting user information

Just as an example of how to use the API beyond authorization, let’s look at how to get information about the user.

Let’s say the variable client is a WordpressClient instance, then the following line of code

var user = await client.User.GetMeAsync();

gets you a bunch of information about your end-user profile on, such as their display name, the date the user join the site, their email, etc. .  This methods wraps the API operation


This was a quick run around this new Wordpress REST API Nuget package I just created.  I’ll put it on Codeplex soon if you want to contribute.

Leave a comment