PHPackages iamntz/oauthclient.wp - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. iamntz/oauthclient.wp ActiveLibrary[Authentication & Authorization](/categories/authentication) iamntz/oauthclient.wp ===================== Oauth Client for WP 475PHP Since Nov 12Pushed 7y ago1 watchersCompare [ Source](https://github.com/iamntz/oauthclient.wp)[ Packagist](https://packagist.org/packages/iamntz/oauthclient.wp)[ RSS](/packages/iamntz-oauthclientwp/feed)WikiDiscussions master Synced yesterday READMEChangelogDependenciesVersions (1)Used By (0) What is this? ------------- [](#what-is-this) A class that will help you to connect with the WP REST Api over oAuth 1.0a authentification. It requires [OAuth1](https://oauth1.wp-api.org/) plugin to be installed. Installing ---------- [](#installing) ``` composer require iamntz/oauthclient.wp ``` Using ----- [](#using) ``` $client = new \iamntz\oauthClient\OauthClientWP([ 'url' => $restEndpoint, 'secret' => 'my-wp-secret', 'key' => 'my-wp-key', ]); $client->setNamespace('my_namespace'); $client->setCallbackUrl(add_query_arg('my_namespace_oauth_callback', 1, home_url('/'))); $client->setCallbackHashValidator('hashValidator'); ``` After you init the class, you can make the auth process: ``` $client->getToken() ``` Will give you an array with either `ok` on the `status` key and a permanent token, or a `request` on the `status` key with a `redirect` value to start the auth process. Once you're auth-ed, you can start making calls, e.g.: ``` $client->api('wp/v2/users/me'); ``` #### A word about `hashValidator` [](#a-word-about-hashvalidator) If you're using a simple set-up like one server+one client, this shouldn't worry you too much, because you can set a certain „blessed” domain and that's that. But how do you deal with a multi-client set-up? I took a look at a different systems, and I decided that the best way is to use a common secret passphrase that will be used on all servers; one you could define on either `wp-config.php` (via a constant), or via an option field. Here is how you can do it via `wp-config.php` (added on both server **AND** client!): ``` define('OAUTH_SECRET_KEY', 'KH1tgux%14CJ9tUi*TN5faZrj@!5l1N1h$U*G^4+Vfs(BJVKSO'); ``` Then you can write a small function that will also be used on both server AND client: ``` function hashValidator($str) { $string = implode('|', [OAUTH_SECRET_KEY, $message]); return hash_hmac('sha1', $string, OAUTH_SECRET_KEY); } ``` Having this in place, is time to whitelist signed domains. To do so, we will use several methods: ``` function getDomainSignature() { return isset($_REQUEST['my_namespace_hash']) ? sanitize_text_field(wp_unslash($_REQUEST['my_namespace_hash'])) : ''; } function maybeWhitelistDomain($valid) { if (OAUTH_SECRET_KEY === getDomainSignature()) { return true; } return $valid; } function whietlistField($consumer) { printf('', esc_attr(getDomainSignature())); } add_filter('rest_oauth.check_callback', 'maybeWhitelistDomain'); add_action('oauth1_authorize_form', 'whietlistField'); ``` Yes, the `my_namespace` part should be the same as in the previous section! #### A word about `POST`ing data [](#a-word-about-posting-data) The current implementation of the OAuth plugin doesn't respect the oauth standard, so all `$_POST` data is counted when signing requests. At this moment there is [PR opened](https://github.com/WP-API/OAuth1/pull/206), so you will need to either use @tsmd's version or make the required changes all by yourself. Like it? -------- [](#like-it) You can get [hosting](https://m.do.co/c/c95a44d0e992), [donate](https://www.paypal.me/iamntz) or buy me a [gift](http://iamntz.com/wishlist). License ------- [](#license) MIT. ### Health Score 22 — LowBetter than 21% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity13 Limited adoption so far Community7 Small or concentrated contributor base Maturity39 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/5e9ccfed015f7f50e1be8516c662566e7defbcb483b2f0505199912ed3302032?d=identicon)[iamntz](/maintainers/iamntz) --- Top Contributors [![iamntz](https://avatars.githubusercontent.com/u/132062?v=4)](https://github.com/iamntz "iamntz (5 commits)") --- Tags wordpress-oauthwordpress-rest-apiwordpress-utility ### Embed Badge ![Health badge](/badges/iamntz-oauthclientwp/health.svg) ``` [![Health](https://phpackages.com/badges/iamntz-oauthclientwp/health.svg)](https://phpackages.com/packages/iamntz-oauthclientwp) ``` ### Alternatives [kartik-v/yii2-password Useful password strength validation utilities for Yii Framework 2.0 761.2M17](/packages/kartik-v-yii2-password) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)