REST API Authentication on client-side requests

Hello everyone,

I tried searching for an issue similar to mine but nothing came up.

I’m trying to use the GF V2 REST API but something came up while I was exploring it.

This is going to be used in a headless WordPress project, where the frontend will be built using a React framework (Frontity). I want to use Gravity Forms as my forms solutions so I need to use its API.

My plan is to just make a form in React and then onSubmit make the form send the POST request to the form entry endpoint, however, in order to do that, I have to use authentication. And since I’m going to do this with JavaScript, the authentication will be client-side.

I’m trying to figure out a way of hiding the client-side Consumer Key and Consumer Secret. My main concern is that with the credentials that have write permissions (the ones I have to use to submit the entries) someone can use those same credentials do delete entries.

Am I missing something? Any best practices that I should be aware of?

I’m pretty sure this endpoint is public and doesn’t require authentication to submit new form entries:

1 Like

Thank you for your suggestion, I actually wasn’t using that endpoint.

I did just try to POST with no authentication and it never works, I always get this response:

    "is_valid": false,
    "validation_messages": {
        "1": "This field is required.",
        "2": "This field is required."
    "page_number": 1,
    "source_page_number": 1

Even though I’m sending information with the correct field keys in the JSON object.
On my logs, I get this:

2020-08-03 11:28:25.155483 - DEBUG --> GF_REST_Authentication::authenticate(): Running. 
2020-08-03 11:28:25.168237 - DEBUG --> GF_REST_Authentication::perform_basic_authentication(): Running. 
2020-08-03 11:28:25.168459 - ERROR --> GF_REST_Authentication::perform_basic_authentication(): Aborting; credentials not found. 
2020-08-03 11:28:25.168644 - DEBUG --> GF_REST_Authentication::perform_oauth_authentication(): Running. 
2020-08-03 11:28:25.168960 - ERROR --> GF_REST_Authentication::perform_oauth_authentication(): Aborting; OAuth parameters not found. 

Which leads me to believe that it does need authentication, what do you think?

This response is not about authentication; it’s about missing a required field. Ensure that all the required data is being submitted, or try making the field (not required) and test again (without authentication.) Thank you.

Well, I tried that already.
If I make the fields not required then I get an error message stating that one of the fields must be filled.
Just for reference, here is the body of my request:

    "input_1": "test",
    "input_2": "",
    "field_values": "",
    "source_page":  1,
    "target_page":  0

That is a different sort of error. You must submit a value in one of the fields, that is true. Why are you not sending any values, whether or not the fields are required?