Resources/The Agent API Atlas/E-commerce/WooCommerce

Everything an AI agent can do with the WooCommerce API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints31

API versionv3

Last updated23 June 2026

Orientation

How the WooCommerce API works.

The WooCommerce API is how an app or AI agent works with an online store: listing products, updating stock, reading and fulfilling orders, managing customers, and issuing refunds. Access is granted through an API key generated for a store user, and that key is set to read, write, or read and write when it is created, which bounds every call the key can make. WooCommerce can also push an event to a registered endpoint when a resource is created, updated, or deleted.

31Endpoints

8Capability groups

13Read

18Write

2Permissions

Authentication

WooCommerce authenticates a call with an API key, a consumer key and consumer secret pair generated for a specific WordPress user inside the store. Over HTTPS the pair is sent as HTTP Basic auth, with the consumer key as the username and the consumer secret as the password. Over plain HTTP the API requires OAuth 1.0a one-legged signing instead, so the credentials cannot be read in transit.

Permissions

Each API key is set to one permission level when it is created: read, write, or read and write. That level applies to the whole key, so there are no per-resource scopes, a read key can call every read method and nothing else. The key also inherits the capabilities of the WordPress user it belongs to, so a key tied to a limited user reaches only what that user could.

Versioning

WooCommerce versions its REST API in the request path. The current namespace is wc/v3, served under the store at /wp-json/wc/v3, and the older wc/v1 and wc/v2 namespaces remain for existing integrations. A store also reports the WooCommerce plugin version, which is separate from the API namespace.

Data model

WooCommerce is resource-oriented REST running inside WordPress: JSON requests and responses under predictable /wp-json/wc/v3/ paths. Core resources are products and their categories and variations, orders and their notes and refunds, customers, and coupons. A list returns at most 100 items per page, and most resources offer a batch endpoint that creates, updates, and deletes many records in one call.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to WooCommerce determines what it can reach. There is a route for making calls against a store with an API key, a route for receiving events when something changes, and a first-party server that exposes WooCommerce as agent tools, and each is governed by the key behind it and the permission level that key carries.

Ways to connect

REST API

The REST API runs inside WordPress under the store's domain at /wp-json/wc/v3, taking and returning JSON. A call authenticates with a consumer key and consumer secret, sent as HTTP Basic auth over HTTPS or signed with OAuth 1.0a over plain HTTP. Lists are page-based with a per_page cap of 100, and most resources offer a batch endpoint.

Best forConnecting an app or AI agent to a WooCommerce store.

Governed byThe API key and its read, write, or read and write permission level.

Docs ↗

Webhooks

WooCommerce POSTs the changed resource as JSON to a registered URL when a coupon, customer, order, or product is created, updated, or deleted. Each delivery carries X-WC-Webhook-Topic, X-WC-Webhook-Resource, and X-WC-Webhook-Event headers, plus an X-WC-Webhook-Signature header (a base64 HMAC-SHA256 of the payload) so the receiver can verify it. Deliveries are sent in the background, by default through wp-cron.

Best forReceiving WooCommerce events at an app or AI agent.

Governed byThe webhook's secret and the user that created it.

Docs ↗

MCP server (developer preview)

WooCommerce ships a first-party Model Context Protocol server, built with Automattic on the WordPress Abilities system, that exposes store tools to AI agents and clients like Claude. An agent connects through the @automattic/mcp-wordpress-remote local proxy, which speaks MCP over stdio and translates calls into authenticated HTTP requests to the store. It authenticates with a WooCommerce REST API key and currently exposes product and order management plus REST-derived compatibility tools. It is in developer preview, so details may change.

Best forConnecting an AI agent to a WooCommerce store through MCP.

Governed byThe REST API key and its permission level.

Docs ↗

Authentication

API key over HTTPS (Basic auth)

A consumer key and consumer secret are generated for a WordPress user in the store's WooCommerce settings. Over HTTPS they are sent as HTTP Basic auth, the consumer key as the username and the consumer secret as the password. The key carries one permission level, read, write, or read and write, set when it is created, and inherits the capabilities of the user it belongs to.

TokenConsumer key + consumer secret (ck_... / cs_...)

Best forServer-side calls to a store served over HTTPS.

Docs ↗

API key over HTTP (OAuth 1.0a)

When the store is served over plain HTTP, the same consumer key and secret are used to sign each request with OAuth 1.0a one-legged authentication, rather than sent directly, so they cannot be intercepted in transit. The signing uses the consumer key, a timestamp, a nonce, and an HMAC signature over the request.

TokenConsumer key + consumer secret, OAuth 1.0a signed

Best forCalls to a store that is not served over HTTPS.

Docs ↗

Capability map

What an AI agent can do in WooCommerce.

The WooCommerce API is split into areas an agent can act on, like products, orders, customers, coupons, and refunds. Each area has its own methods, and writes in some areas change what shoppers see or move money back to a customer.

Products

6 endpoints

Methods for working with products in the catalog.

A write here changes what shoppers see in the store.

View endpoints →

Product categories

3 endpoints

Methods for working with product categories.

A write here changes how the catalog is organized.

View endpoints →

Orders

8 endpoints

Methods for working with orders and order notes.

A write here changes a real order or its status.

View endpoints →

Refunds

2 endpoints

Methods for working with refunds against orders.

A write here moves money back to a customer.

View endpoints →

Customers

3 endpoints

Methods for working with customer accounts.

A write here changes real customer records.

View endpoints →

Coupons

3 endpoints

Methods for working with discount coupons.

A write here changes discounts shoppers can claim.

View endpoints →

Reports

3 endpoints

Read-only sales and totals reports.

Read-only; exposes store sales and totals.

View endpoints →

Webhooks

3 endpoints

Methods for managing webhook subscriptions.

A write here changes where store events are sent.

View endpoints →

Endpoint reference

Every WooCommerce API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Products Methods for working with products in the catalog.6
GET	`/wc/v3/products`	List all products in the store (page-based).	read	`read`	Current
Any read or read/write key can call this. Acts onproduct Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/wc/v3/products/`	Retrieve a single product by ID.	read	`read`	Current
Any read or read/write key can call this. Acts onproduct Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/wc/v3/products`	Create a new product in the catalog.	write	`write`	Current
Needs a write or read/write key. Acts onproduct Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`product.created` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/wc/v3/products/`	Update an existing product, like its price or stock.	write	`write`	Current
Needs a write or read/write key. Acts onproduct Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`product.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/wc/v3/products/`	Delete a product, or move it to the trash unless force is set.	write	`write`	Current
Needs a write or read/write key; pass force=true to permanently delete. Acts onproduct Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`product.deleted` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/wc/v3/products/batch`	Create, update, and delete many products in one request.	write	`write`	Current
Needs a write or read/write key; up to 100 objects per call. Acts onproduct Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Product categories Methods for working with product categories.3
GET	`/wc/v3/products/categories`	List all product categories.	read	`read`	Current
Any read or read/write key can call this. Acts onproduct_cat Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/wc/v3/products/categories`	Create a new product category.	write	`write`	Current
Needs a write or read/write key. Acts onproduct_cat Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/wc/v3/products/categories/`	Update an existing product category.	write	`write`	Current
Needs a write or read/write key. Acts onproduct_cat Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Orders Methods for working with orders and order notes.8
GET	`/wc/v3/orders`	List all orders (page-based, filterable by status and date).	read	`read`	Current
Any read or read/write key can call this; returns customer and line-item data. Acts onorder Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/wc/v3/orders/`	Retrieve a single order by ID.	read	`read`	Current
Any read or read/write key can call this. Acts onorder Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/wc/v3/orders`	Create a new order, setting line items, customer, and status.	write	`write`	Current
Needs a write or read/write key. Acts onorder Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`order.created` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/wc/v3/orders/`	Update an order, like changing its status or line items.	write	`write`	Current
Needs a write or read/write key; setting status drives fulfillment. Acts onorder Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`order.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/wc/v3/orders/`	Delete an order, or move it to the trash unless force is set.	write	`write`	Current
Needs a write or read/write key; pass force=true to permanently delete. Acts onorder Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`order.deleted` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/wc/v3/orders/batch`	Create, update, and delete many orders in one request.	write	`write`	Current
Needs a write or read/write key; up to 100 objects per call. Acts onorder Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/wc/v3/orders//notes`	List the notes attached to an order.	read	`read`	Current
Any read or read/write key can call this. Acts onorder_note Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/wc/v3/orders//notes`	Add a note to an order, optionally visible to the customer.	write	`write`	Current
Needs a write or read/write key; a customer-visible note can email the customer. Acts onorder_note Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Refunds Methods for working with refunds against orders.2
GET	`/wc/v3/orders//refunds`	List the refunds recorded against an order.	read	`read`	Current
Any read or read/write key can call this. Acts onorder_refund Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/wc/v3/orders//refunds`	Create a refund against an order, fully or partially.	write	`write`	Current
Needs a write or read/write key; with api_refund set, it sends money back through the payment gateway. Acts onorder_refund Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Customers Methods for working with customer accounts.3
GET	`/wc/v3/customers`	List all customers (page-based).	read	`read`	Current
Any read or read/write key can call this; returns names, emails, and addresses. Acts oncustomer Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/wc/v3/customers`	Create a new customer account.	write	`write`	Current
Needs a write or read/write key. Acts oncustomer Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`customer.created` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/wc/v3/customers/`	Update an existing customer's details.	write	`write`	Current
Needs a write or read/write key. Acts oncustomer Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`customer.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
Coupons Methods for working with discount coupons.3
GET	`/wc/v3/coupons`	List all discount coupons.	read	`read`	Current
Any read or read/write key can call this. Acts oncoupon Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/wc/v3/coupons`	Create a new discount coupon.	write	`write`	Current
Needs a write or read/write key. Acts oncoupon Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`coupon.created` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/wc/v3/coupons/`	Update an existing coupon's terms.	write	`write`	Current
Needs a write or read/write key. Acts oncoupon Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`coupon.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
Reports Read-only sales and totals reports.3
GET	`/wc/v3/reports/sales`	Retrieve a sales report over a date range.	read	`read`	Current
Read-only; exposes store revenue and totals. Acts onreport Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/wc/v3/reports/top_sellers`	Retrieve the top-selling products over a date range.	read	`read`	Current
Read-only. Acts onreport Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/wc/v3/reports/orders/totals`	Retrieve order counts grouped by status.	read	`read`	Current
Read-only. Acts onreport Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Webhooks Methods for managing webhook subscriptions.3
GET	`/wc/v3/webhooks`	List all webhook subscriptions in the store.	read	`read`	Current
Any read or read/write key can call this. Acts onwebhook Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/wc/v3/webhooks`	Create a webhook that POSTs to a URL when a topic fires.	write	`write`	Current
Needs a write or read/write key; sets the topic and delivery URL. Acts onwebhook Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/wc/v3/webhooks/`	Delete a webhook subscription.	write	`write`	Current
Needs a write or read/write key; pass force=true to permanently delete. Acts onwebhook Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

WooCommerce can notify an app when something happens in a store, like an order being created or a product being updated. It sends the changed resource as JSON with headers naming the topic, resource, and event, and signs each delivery so the receiver can confirm it came from the store.

Event	What it signals	Triggered by
`order.created`	A new order was created. The payload is the order resource, the same JSON returned by the orders API.	`/wc/v3/orders`
`order.updated`	An order changed, like its status moving to processing or completed.	`/wc/v3/orders/`
`order.deleted`	An order was deleted or trashed.	`/wc/v3/orders/`
`product.created`	A new product was created in the catalog.	`/wc/v3/products`
`product.updated`	A product changed, like its price, stock, or status.	`/wc/v3/products/`
`product.deleted`	A product was deleted or trashed.	`/wc/v3/products/`
`customer.created`	A new customer account was created.	`/wc/v3/customers`
`customer.updated`	A customer's details changed.	`/wc/v3/customers/`
`coupon.created`	A new coupon was created.	`/wc/v3/coupons`
`coupon.updated`	A coupon's terms changed.	`/wc/v3/coupons/`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

WooCommerce core enforces no rate limit of its own, so how fast an app can call depends on the WordPress host that runs the store. Lists are capped at 100 items per page.

Request rate

WooCommerce core does not enforce a rate limit of its own, so how fast an app or agent can call is set by the WordPress host that runs the store, like its PHP worker count, memory, and any rate limiting the host or a security plugin adds. There is no documented per-method cost or quota, and going too fast surfaces as host-level errors (such as a 429 or 503 from the host) rather than an API limit. WooCommerce's own newer Store API has separate, documented rate limiting, but the v3 REST API used here does not.

Pagination

A list endpoint is page-based: page sets which page to return (1-based, default 1) and per_page sets the page size (default 10, maximum 100). An offset parameter can skip a number of records from the start. The response carries an X-WP-Total header with the total number of records and an X-WP-TotalPages header with the total number of pages, and a Link header gives next, prev, first, and last page URLs.

Request size

A list endpoint returns at most 100 records per page, the maximum value of per_page; fetching more means paging through with page or offset. A batch request processes many records in a single call, capped at 100 objects per request across its create, update, and delete arrays combined.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`woocommerce_rest_invalid_*`	The request was bad: a parameter is missing or invalid. The JSON body carries code, message, and a data.status of 400.	Read the message, fix the parameters, and resend. The request is not retryable as-is.
401	`woocommerce_rest_authentication_error / woocommerce_rest_cannot_*`	Authentication failed, or the key lacks permission for the request, like a read key attempting a write.	Confirm the consumer key and secret are correct and that the key has the needed permission level, then resend.
404	`woocommerce_rest_*_invalid_id`	The requested resource does not exist or is not visible to this key.	Verify the resource ID and that it exists in this store, then resend.
500	`internal_server_error`	An error on the server side, often from the WordPress host running the store.	Retry with backoff, and check the host or store logs if it persists.

Versioning & freshness

Version history.

WooCommerce versions its REST API by a path segment, where v3 is the current namespace and earlier v1 and v2 namespaces remain for older integrations.

Version history

What changed, and when

Latest versionv3

v3Current version

Current namespace (wc/v3)

The current REST API namespace, served under the store at /wp-json/wc/v3. It is versioned by the path segment rather than by a dated string, and tracks the WooCommerce plugin as it ships features through plugin releases. The older wc/v1 and wc/v2 namespaces remain available for existing integrations.

What changed

Resource-oriented REST for products, orders, customers, coupons, refunds, reports, and webhooks.
Batch endpoints create, update, and delete up to 100 objects per call.
API key permission level is read, write, or read and write, set when the key is created.

wc/v2 namespace

An earlier REST API namespace, served at /wp-json/wc/v2, still available for integrations built against it.

wc/v1 namespace

The first WooCommerce-namespaced REST API, served at /wp-json/wc/v1, kept for older integrations.

Target the v3 namespace for new integrations; v1 and v2 stay available for older code.

WooCommerce release posts ↗

Questions

WooCommerce API, answered.

How does an AI agent authenticate to WooCommerce?+

With a REST API key, a consumer key and consumer secret pair created under WooCommerce settings for a chosen WordPress user. Over HTTPS the pair is sent as HTTP Basic auth, the consumer key as the username and the consumer secret as the password. Over plain HTTP the API instead requires OAuth 1.0a one-legged signing so the credentials are not exposed in transit.

What do the read, write, and read/write key permissions control?+

The permission level is chosen when the API key is created and applies to the entire key, there are no per-resource scopes. A read key can call every GET method and nothing that changes data; a write key can create, update, and delete; a read and write key can do both. To limit a key further, tie it to a WordPress user whose own capabilities are limited, since the key inherits that user's permissions.

Does the WooCommerce REST API have rate limits?+

WooCommerce core does not enforce one on the v3 REST API. Throughput is bounded by the WordPress host running the store and by any limiting a host or security plugin adds, not by a documented API quota. Going too fast usually surfaces as a host error like a 429 or 503 rather than an API-level rate-limit response. The newer Store API is separate and does document its own rate limiting.

How do I update many records at once?+

Most resources expose a batch endpoint, such as POST /wc/v3/products/batch, that takes create, update, and delete arrays in one request. It processes up to 100 objects per call across those arrays combined, which is faster and avoids hitting the per-request overhead of many separate calls.

How do webhooks confirm a delivery really came from the store?+

Each webhook POST carries an X-WC-Webhook-Signature header, a base64-encoded HMAC-SHA256 hash of the payload computed with the webhook's secret. The receiver recomputes the hash over the raw body and compares it. The request also carries X-WC-Webhook-Topic, X-WC-Webhook-Resource, and X-WC-Webhook-Event headers naming what changed.

What does an error response look like?+

An error returns an HTTP status code and a JSON body with three fields: code (a machine-readable string like woocommerce_rest_term_invalid), message (a human-readable description), and data (which includes the numeric status). Common statuses are 400 for a bad request, 401 for an authentication or permission failure, 404 for a missing resource, and 500 for a server error.

What is Bollard AI?

Control what every AI agent can do in WooCommerce.

Bollard AI sits between a team's AI agents and WooCommerce. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared store API key.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control WooCommerce access in Bollard Browse all APIs →

WooCommerce

Store Ops Agent

View orders ResourceOffReadFull use

Issue refunds ActionOffReadFull use

Products ResourceOffReadFull use

Customers ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in WooCommerce

How the WooCommerce API works.

Connection & authentication methods.

REST API

Webhooks

MCP server (developer preview)

API key over HTTPS (Basic auth)

API key over HTTP (OAuth 1.0a)

What an AI agent can do in WooCommerce.

Products

Product categories

Orders

Refunds

Customers

Coupons

Reports

Webhooks

Every WooCommerce API method.

Products

Product categories

Orders

Refunds

Customers

Coupons

Reports

Webhooks

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

WooCommerce API, answered.

More e-commerce API guides for agents

BigCommerce

Gumroad

EasyPost

Lemon Squeezy

Magento

Shippo

Control what every AI agent can do in WooCommerce.