WooCommerce is a WordPress plugin, not a hosted SaaS — that's the most important fact. Every store is a different WordPress install, with different plugins, different PHP versions, and sometimes different REST endpoints. The Sales Channel WooCommerce provider targets the standard WooCommerce REST API but layers in compatibility checks for the most common variations.
Auth: REST keys, not OAuth
WooCommerce uses consumer key / consumer secret auth, not OAuth. The user generates a key pair under WP-Admin → WooCommerce → Settings → Advanced → REST API and pastes them into the connect form:
{
"siteUrl": "https://acme.example.com",
"consumerKey": "ck_...",
"consumerSecret": "cs_...",
"wpRestEnabled": true
}
Authentication is HTTP Basic over HTTPS. Over HTTP, WooCommerce falls back to OAuth 1.0a signed requests — the provider supports both but prefers Basic over HTTPS, which is the only safe configuration in production.
REST vs WP REST
WooCommerce exposes two API surfaces:
/wp-json/wc/v3/*— the WooCommerce REST API (products, orders, customers, etc.)./wp-json/wp/v2/*— the WordPress REST API (posts, pages, media).
The provider primarily uses wc/v3. WordPress media uploads (product images, especially for new product creation) use wp/v2/media — that's why wpRestEnabled matters. If WP REST is disabled (some hosts and security plugins do this), image uploads fail with 404 and you'll need to upload media via FTP or admin instead.
Variations
WooCommerce variable products store their variations as separate records under /products/:id/variations. Pushing a variable product is a two-step dance:
POST /productswithtype: "variable"and the attributes (pa_size,pa_color, etc.).- For each variation,
POST /products/:id/variationswith the attribute values, SKU, price, stock.
The provider handles this transparently — push a Storefront product with variants and it creates the parent + each variation in sequence. Variation sync is the slowest part of a Woo push since it's N+1 calls.
Plugin compatibility
The biggest source of integration pain. Common plugin classes that affect the API:
| Plugin class | Impact |
|---|---|
| Caching (WP Rocket, W3 Total Cache) | Stale product/inventory reads. Add ?cache=false or exclude /wp-json/ from cache. |
| Security (Wordfence, iThemes) | May block API IPs or rate-limit. Whitelist the AppEngine IP range. |
| Multi-currency (WPML, WCFM) | Adds extra currency fields. Provider tolerates but may need per-currency pricing rules. |
| Subscription (WooCommerce Subscriptions) | Adds subscription order type. The provider maps these to the unified order list with metadata.type: "subscription". |
| Bookings (WooCommerce Bookings) | Adds bookable product type. Not natively mapped — surfaces as a regular product in the unified catalog. |
| Custom field plugins (ACF, Meta Box) | Custom meta fields appear under meta_data[]. Map specific fields via POST /sales-channel/mappings/attributes. |
| Multilingual (Polylang, WPML) | Each language is a separate post; the provider treats the default language as canonical and surfaces translations as variants. |
When a sync fails on a Woo store, plugins are the first place to look. The provider logs the WP user-agent and active plugin list on first connect — visible in GET /sales-channel/sync/history?channelId=woocommerce.
Tax and shipping
WooCommerce computes tax server-side based on the store's tax classes. Don't push line-level tax. Shipping is similar — WooCommerce assigns a shipping zone based on destination address and applies the configured method.
For accurate aggregated-order totals, the provider reads tax_lines and shipping_lines from the WooCommerce order response and copies them into the normalized totals.
Order webhooks
WooCommerce supports webhooks per-event. The provider registers these on enable:
order.created,order.updatedproduct.updated(for inventory drift detection)
Webhooks are signed with HMAC-SHA256 against the consumer secret. The receiver verifies the X-WC-Webhook-Signature header.
Self-hosted means self-managed
Things that change in a hosted SaaS but stay on the merchant in a Woo install:
- PHP version — older PHP (< 7.4) breaks newer endpoints.
- WooCommerce version — REST endpoints shift between major versions. The provider targets WooCommerce 6+; older stores may need an upgrade.
- TLS — some Woo stores still allow TLS 1.0/1.1. The provider requires TLS 1.2+.
- Endpoint URLs — some WP installs use
/index.php?rest_route=/wc/v3/...instead of pretty permalinks. The provider auto-detects on connect.
A WooCommerce production store is a website with traffic. A bad bulk push can crash the site if the host's PHP-FPM workers max out. Run the first big sync against a staging clone or schedule it for low-traffic hours.