With the WordPress REST API Authentication plugin by miniOrange you can protect WP REST API endpoints from public access.

With the free version of this plugin, third-party APIs (like FacetWP’s) are excluded from adding authentication. However, with the default settings enabled, this plugin will unexpectedly block access to FacetWP’s /facetwp/v1/refresh and /facetwp/v1/fetch endpoints.

The /facetwp/v1/fetch endpoint is already closed by default, to protect your data. (If you are building a custom application that needs access, you can enable it.) But the /facetwp/v1/refresh endpoint should be open, because FacetWP uses it in the front-end for filtering. So this block will cause 403 or 401 errors on refresh (when filtering), leading to non-functioning facets.

Depending on what you intend to do, to fix this issue, you can upgrade to a suitable premium plan of this plugin, add authentication to the /facetwp/v1/refresh endpoint, and add this fix to pass authentication data to the API request. Your facets will now only work for logged-in users (or better: on pages only visible for logged-in users).

Disable FacetWP's refresh API endpoint in the 'Protected REST APIs' settings list.
To prevent 403 errors, disable FacetWP’s refresh API endpoint in the “Protected REST APIs” settings list.

Or you can disable protection for FacetWP’s /facetwp/v1/refresh endpoint. To do so, open the “Protected REST APIs” settings, click open the “Un-Authenticated WordPress Custom REST APIs” tab, and scroll to /facetwp/v1. Uncheck the /facetwp/v1/refresh option. Leave the /facetwp/v1/fetch option checked.

See also

Last updated: July 29, 2024