Building a Custom REST API Endpoint in WooCommerce

WooCommerce’s REST API gives you access to products, orders, customers — but what if you need to expose custom data, or build your own secure endpoint for a mobile app or frontend React dashboard?

In this tutorial, we’ll walk through building a custom REST API endpoint in WooCommerce, including:

Securing the endpoint
Returning product pricing or custom meta
Accepting POST requests (e.g. for orders, tokens, configs)
Supporting authentication and permission checks

Why Build a Custom Endpoint?

Use cases include:

Mobile apps for your WooCommerce store
Headless frontend frameworks (React, Vue, etc.)
External services accessing store data (e.g., ERP, shipping, analytics)
Secure AJAX endpoints without using admin-ajax

Step 1: Register Your REST Route

Create this in your plugin (or functions.php):

add_action( 'rest_api_init', function () {
    register_rest_route( 'myplugin/v1', '/product-price/(?P<id>\d+)', [
        'methods'  => 'GET',
        'callback' => 'myplugin_get_product_price',
        'permission_callback' => '__return_true', // More on this later
        'args' => [
            'id' => [
                'required' => true,
                'validate_callback' => 'is_numeric',
            ]
        ]
    ] );
} );

Step 2: Define the Callback

function myplugin_get_product_price( WP_REST_Request $request ) {
    $product_id = $request->get_param( 'id' );
    $product    = wc_get_product( $product_id );

    if ( ! $product ) {
        return new WP_Error( 'not_found', 'Product not found', [ 'status' => 404 ] );
    }

    return rest_ensure_response( [
        'id'    => $product->get_id(),
        'name'  => $product->get_name(),
        'price' => $product->get_price(),
        'currency' => get_woocommerce_currency(),
    ] );
}

Step 3: Secure It with Permissions

Use WooCommerce/WordPress permissions to secure access:

'permission_callback' => function () {
    return current_user_can( 'manage_woocommerce' ); // Admin only
}

Or use:

'permission_callback' => function () {
    return is_user_logged_in(); // Logged-in users only
}

For public access with rate-limiting or token validation, you can build your own logic:

'permission_callback' => function ( WP_REST_Request $request ) {
    $token = $request->get_header( 'x-api-key' );
    return $token === 'YOUR_SECURE_KEY_HERE';
}

Step 4: Add a POST Endpoint

To allow external apps to create something (like a booking or custom order):

register_rest_route( 'myplugin/v1', '/create-note', [
    'methods'  => 'POST',
    'callback' => 'myplugin_create_customer_note',
    'permission_callback' => 'is_user_logged_in',
] );

function myplugin_create_customer_note( WP_REST_Request $request ) {
    $user_id = get_current_user_id();
    $note    = sanitize_text_field( $request->get_param( 'note' ) );

    update_user_meta( $user_id, 'custom_note', $note );

    return rest_ensure_response( [ 'success' => true, 'note' => $note ] );
}

Calling the API (Examples)

GET request example:

GET /wp-json/myplugin/v1/product-price/123

POST request using fetch:

fetch('/wp-json/myplugin/v1/create-note', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  credentials: 'include',
  body: JSON.stringify({ note: 'Hello from frontend!' }),
});

Testing Tools

Use Postman or Insomnia for API testing
WP-CLI: wp rest list to view routes
rest_do_request() inside your plugin for internal REST calls

Tips

Add namespace/v2 when versioning your API
Use rest_ensure_response() for automatic JSON handling
Always validate and sanitize request data
Store tokens, settings, or flags using update_option() or update_user_meta()