Error with nonce value when attempting to create a user in WordPress via Axios

charlottew · June 8, 2025, 1:19am

I’m developing a Next.js application where I want to use WordPress as the backend for user registration through Axios. Recently, I’ve encountered an issue with nonce validation.

I have installed the required plugins for the JSON API and JSON API User. When I directly access the endpoint in my browser, it functions properly:

http://nextjs-headless-wordpress.local/api/users/create_user/[email protected]&user_password=password123&[email protected]&nonce=a1b2c3d4e5&display_name=Test%20User&u=admin&p=admin&insecure=cool

However, when I attempt to replicate this with my Axios code, I receive the error: Your 'nonce' value was incorrect. Use the 'get_nonce' API method.

Here’s the relevant part of my code:

axios.post('http://nextjs-headless-wordpress.local/wp-json/jwt-auth/v1/token', loginData)
.then(res => {
  if(res.data) {
    // Retrieve the nonce
    axios.get('http://nextjs-headless-wordpress.local/api/get_nonce/?controller=users&method=create_user')
    .then(response => {
      let nonceValue = response.data.nonce;
      console.log('Nonce received:', nonceValue);
      
      // Generate authentication cookie
      axios.get('http://nextjs-headless-wordpress.local/api/user/generate_auth_cookie/?insecure=cool&username=admin&password=admin')
      .then(cookieResponse => {
        // Attempt to create a new user
        axios.post('http://nextjs-headless-wordpress.local/api/users/create_user/?user_login=' + loginFields.email + '&user_password=' + loginFields.password + '&user_email=' + loginFields.email + '&nonce=' + nonceValue + '&display_name=' + loginFields.name + '&u=admin&p=admin&insecure=cool', {
          headers: { cookie: cookieResponse.data.cookie_name + '=' + cookieResponse.data.cookie, 'X-WP-Nonce': nonceValue }
        })
        .then(userCreationResponse => {
          console.log(userCreationResponse);
        }).catch(err => {
          console.log('Error creating user:', err);
        });
      }).catch(err => {
        console.log('Error generating cookie:', err);
      });
    }).catch(err => {
      console.log('Error fetching nonce:', err);
    });
  }
});

What could be causing the nonce error during my Axios call while the browser request works successfully? Any guidance would be greatly appreciated.

OwenNebula55 · June 19, 2025, 7:34am

I ran into this exact same problem a few months back when integrating WordPress with React. The issue is likely that your nonce is being generated for a different user context than the one you’re using to create the user. When you access the endpoint directly in the browser, you’re authenticated as the admin user, but in your Axios flow, the authentication timing is off. Try moving the nonce generation after you’ve successfully authenticated and received the auth cookie. The nonce needs to be generated in the context of the authenticated admin session, not before it. Also, make sure you’re using the same authentication method consistently - either stick with the auth cookie approach or use JWT tokens, but don’t mix both in the same request flow. The WordPress nonce system is quite strict about matching the user session that generated it.

Liam_25Meditation · June 16, 2025, 3:07pm

had similar headache with wp nonces last year. your putting nonce in both url params AND headers which can confuse wordpress. try removing the nonce from the url and just use the X-WP-Nonce header instead. also double check your nonce isnt expiring between requests - they timeout pretty quick in wp

alexlee · June 15, 2025, 12:13am

The nonce validation failure happens because you’re generating the nonce before establishing the proper WordPress session context. In my experience with similar setups, the sequence matters critically - WordPress validates nonces against the current user session state. Your browser request works because you’re already logged into WordPress admin, but your Axios chain doesn’t maintain session continuity properly. Instead of chaining all these requests sequentially, try generating the nonce immediately after the auth cookie is successfully created and before making the user creation call. Also verify that the cookie is being sent correctly in subsequent requests - WordPress might not be recognizing your session. The JSON API User plugin can be finicky about session handling when requests come from external origins.