Skip to main content
WP HealthKit

REST API Permissions

The permission_callback is a required parameter in WordPress REST API route registration that determines whether a request should be processed based on the user's identity and capabilities.

How it works

Since WordPress 5.5, every register_rest_route() call must include a permission_callback. Routes without one default to public access — a common source of security vulnerabilities. The callback should check authentication and capabilities before the main handler runs.

In WordPress

For authenticated endpoints, use current_user_can() checks. For public endpoints, use __return_true explicitly to show the route is intentionally public. Never omit the callback.

Code example

register_rest_route('myplugin/v1', '/settings', [
    'methods' => 'POST',
    'callback' => 'handle_settings',
    'permission_callback' => function() {
        return current_user_can('manage_options');
    },
]);

WP HealthKit checks for REST API Permissions-related vulnerabilities automatically

Run a Free Audit
WordPress REST API Permissions — permission_callback Explained | WP HealthKit