Wordpress - Nonce retrieved from the REST API is invalid and different from nonce generated in wp_localize_script
Take a closer look at the function rest_cookie_check_errors()
.
When you get the nonce via /wp-json/nonce/v1/get
, you're not sending a nonce in the first place. So this function nullifies your authentication, with this code:
if ( null === $nonce ) {
// No nonce at all, so act as if it's an unauthenticated request.
wp_set_current_user( 0 );
return true;
}
That's why you're getting a different nonce from your REST call vs getting it from the theme. The REST call is intentionally not recognizing your login credentials (in this case via cookie auth) because you didn't send a valid nonce in the get request.
Now, the reason your wp_loaded code worked was because you got the nonce and saved it to a global before this rest code nullified your login. The verify fails because the rest code nullifies your login before the verify takes place.