REST API Permissions
The permission_callback is a required parameter in WordPress REST API route registration that determines whether a request should be processed based on the user's identity and capabilities.
How it works
Since WordPress 5.5, every register_rest_route() call must include a permission_callback. Routes without one default to public access — a common source of security vulnerabilities. The callback should check authentication and capabilities before the main handler runs.
In WordPress
For authenticated endpoints, use current_user_can() checks. For public endpoints, use __return_true explicitly to show the route is intentionally public. Never omit the callback.
Code example
register_rest_route('myplugin/v1', '/settings', [
'methods' => 'POST',
'callback' => 'handle_settings',
'permission_callback' => function() {
return current_user_can('manage_options');
},
]);
Related terms
WP HealthKit checks for REST API Permissions-related vulnerabilities automatically
Run a Free Audit