OAuth2 is a protocol that allows partners and applications to interact with blogs on WordPress.com. The primary goal of providing OAuth2 support is to allow developers to interact with WordPress.com without storing sensitive credentials. Our implementation also allows users to manage their own connections.

If you are new to the world of OAuth, you can read more at http://oauth.net.
If you are already familiar with OAuth2, then all you really need to know about are the two end points: the authorization endpoint and the token endpoint.


Before you begin to develop an application using WordPress.com, you will need a client id and a client secret key. The client id and client secret key will be used to authenticate your application and verify that the calls being made to WordPress.com are valid. We are currently granting client access only on a limited basis.

Receiving an Access Token

To act on a user’s behalf and make calls from our API you will need an access token. To get an access token you need to go through the access token flow and prompt the user to authorize your application to act on his or her behalf.

Access tokens are per blog per user. This means that you will need a separate access token for each blog that a user owns and that you want access to.

To begin, you will need to send the user to the authorization end point.


client_id should be set to your application’s client id. response_type should always be set to “code”. redirect_uri should be set to the URL that the user will be redirected back to after the request is authorized. The redirect_uri should be set and given to you along with the client id and client secret key.

The redirect to your application will include a code which you will need in the next step. If the user has denied access to your app, the redirect will include ?error=access_denied

Optionally you may also pass along a blog parameter (&blog=) with the URL to a WordPress.com blog. If you do not pass along a URL, or if the user does not have administrative access to manage the blog you passed along, then the user will be prompted to select the blog they are granting you access to.

Once the user has authorized the request, he or she will be redirected to the redirect_url. The request will look like the following:


This is a time-limited code that your application can exchange for a full authorization token. To do this you will need to pass the code to the token endpoint by making a POST request.

$curl = curl_init( "https://public-api.wordpress.com/oauth2/token" );
curl_setopt( $curl, CURLOPT_POST, true );
curl_setopt( $curl, CURLOPT_POSTFIELDS, array(
	'client_id' => your_client_id,
	'redirect_uri' => your_url,
	'client_secret' => your_client_id,
	'code' => $GET['code'],
	'grant_type' => 'authorization_code'
) ); 
curl_setopt( $curl, CURLOPT_RETURNTRANSFER, 1);
$auth = curl_exec( $curl );
$secret = json_decode($auth);
$access_key = $secret->access_token;

You are required to pass client_id, client_secret, and redirect_uri. These parameters have to match the details for your application. grant_type has to be set to “authorization_code”. code must match the code you received in the redirect.

If everything works correctly and the user grants authorization, you will get back a json encoded string containing the token and some basic information about the blog:

{"access_token":"--------","token_type":"bearer","blog_id":"blog id","blog_url":"blog url"}

You now have an access token which should be stored securely with the blog id and blog url. Your application can now act on behalf of the user on this specific blog.

Making an API Call

WordPress.com’s API is XML-RPC based. In order to make an authenticated call to the XML-RPC API, you need to include your access token with the call. OAuth2 uses something called a BEARER token that is passed along in an Authorization header.

$access_key = "--------";
$curl = curl_init( "https://en.blog.wordpress.com/xmlrpc.php" );
curl_setopt( $curl, CURLOPT_HTTPHEADER, array( 'Authorization: Bearer ' . $access_key ) );
curl_setopt( $curl, CURLOPT_POSTFIELDS, xmlrpc_encode_request( "wp.getPages", array( '', '', '', 15 ) ) );
curl_exec( $curl );

The above example would return 15 pages from the blog “en.blog.wordpress.com”. The blog URL you pass here must match the blog that the access key has access to.

You can make similar calls to the other methods offered by our XML-RPC implementation. See the following entries on WordPress XML-RPC support and XML-RPC methods.

You will not need to pass blog id, user id, or password since you are passing an authorization key instead.