I have generated a consumer key and consumer secret. The website has SSL installed. I have also installed plugins required for JSON and REST services. This is how the url looks like:

https://<url>/wp-json/wc/v1/products

When I am trying to get(GET) the product details using Basic Auth by using POSTMAN, a Chrome plugin, I get a JSON response like:

{
  "code": "woocommerce_rest_cannot_view",
  "message": "Sorry, you cannot list resources.",
  "data": {
    "status": 401
  }
}

I have both the READ and WRITE permissions corresponding to the Consumer key.

I met same problem.

Here is how I solve it:

require "woocommerce_api"

woocommerce = WooCommerce::API.new(
  "https://example.com",
  "consumer_key",
  "consumer_secret",
  {
    wp_json: true,
    version: "wc/v1",
    query_string_auth: true
  }
)

The key is query_string_auth: true you need to force basic authentication as query string true under HTTPS

The 401 error you are getting is because you are using basic auth even though your website is not secure (does not have https).

The solution in postman is to use OAuth 1.0. Just add the consumer key and consumer secret and send the request.

Trying to help others: I was struggling with the 401 response while trying to CURL, and also with VBA trying to request as content-type "application/json" However, I was able to pull a valid response by just entering this in my browser address bar: https://mywebsite.com/wp-json/wc/v2/products?consumer_key=ck_blahblah&consumer_secret=cs_blahblah

Following this line of thought, I went back to my VBA app and changed the content type to "application/text" and was able to pull a valid response text with response code 200. Hope this helps someone.

Try this, I had the same issue with the automattic/woocommerce library and I just got it working by appending the customer_key and customer_secret to the query.

$woocommerce->get("customers/$userId?consumer_key={$this->key}&consumer_secret={$this->secret}");

Quick Edit

The above method works but I found a better solution for the automattic/woocommerce library.

Set query_string_auth to true

Had to dig into the code to find this setting.

Found nothing on it in the docs

return new Client($this->url, $this->key, $this->secret, [
    "query_string_auth" => true
]);

This is how i stopped worrying and moved on.

In short, the woocommerce rest controllers pretty much all have a SOMEWPRESTCLASS::get_item_permissions_check() method which in turn calls wc_rest_check_post_permissions() to decide if it returns that error;

So you hook into that and validate whichever way you want:

add_filter( 'woocommerce_rest_check_permissions', 'my_woocommerce_rest_check_permissions', 90, 4 );

function my_woocommerce_rest_check_permissions( $permission, $context, $object_id, $post_type  ){
  return true;
}

I just ran into this. Apparently something was funny with how curl was handling the url, so I had to encapsulate it in double quotes.

This doesn't work: curl https://www.my-site.com/wp-json/wc/v3/orders?consumer_key=ck_40097dbc2844ce7712e1820bcadf0149c2bedegh&consumer_secret=cs_ab57e19263af0b9ab4c596c310f1e7904bb20123

This does work: curl "https://www.my-site.com/wp-json/wc/v3/orders?consumer_key=ck_40097dbc2844ce7712e1820bcadf0149c2bedegh&consumer_secret=cs_ab57e19263af0b9ab4c596c310f1e7904bb20123"

Here is a modified answer to Quickredfox's anwer:

add_filter('woocommerce_rest_check_permissions', 'my_woocommerce_rest_check_permissions', 90, 4);

function my_woocommerce_rest_check_permissions($permission, $context, $object_id, $post_type) {
    if($_GET['consumer_key'] == 'asdfghj' && $_GET['consumer_secret'] == 'qwerty') {
        return true;
    }

    return $permission;
}

The downside to this is that the flexibility of adding and revoking access for users using a gui is lost. However, if nothing else works and you just can't figure out why, this will work and does not expose the API to the whole world.

Oh, and this requires passing the key and secret as parameters a la:

https://foo.bar.com/wp-json/wc/v3/products/123&consumer_key=asdfghj&consumer_secret=qwerty

This will work without https, but if you use it without https, remember that any credentials you send along with your request will be sent in plain text.

For local development (localhost) you can also use Basic Auth (e.g. for Postman) instead of Consumer Key & Consumer Secret. It works seamlessly.