WordPress rest_validate_value_from_schema Example: Validate REST Input Safely

Last reviewed: May 16, 2026

Custom REST endpoints become safer when request validation is treated as a first-class contract rather than scattered ad hoc checks. rest_validate_value_from_schema() is the low-level helper WordPress uses to validate values against a schema definition, and it is especially useful when a plugin wants one consistent validation rule across several parameters or nested payload fields.

This guide shows where rest_validate_value_from_schema() fits, what it returns, and why schema-first validation produces cleaner REST handlers than hand-rolled conditional chains.

Validate the value before business logic begins

<?php
$schema = array(
	'type'    => 'string',
	'enum'    => array( 'draft', 'scheduled', 'published' ),
	'default' => 'draft',
);

$result = rest_validate_value_from_schema( $status, $schema, 'status' );

if ( is_wp_error( $result ) ) {
	return $result;
}

This keeps the handler honest. Invalid values are rejected at the contract boundary instead of leaking deeper into business logic and generating inconsistent failures later.

Use it alongside sanitization, not instead of it

Validation and sanitization solve different problems. A schema can say what shape is allowed. Separate sanitization still matters when raw input needs normalization before that shape is checked or before the validated value is stored.

Prefer one shared schema over repeated conditional branches

If the same field appears in multiple callbacks, reusing a schema definition avoids drift. Production APIs age better when allowed values, formats, and required fields live in one clear contract instead of several hand-maintained if statements.

Common mistakes

• Starting business logic before validation finishes. Reject bad input at the edge.
• Assuming validation also sanitizes every field. Keep normalization separate where needed.
• Duplicating the same allowed values across multiple callbacks. Reuse a shared schema definition.
• Ignoring the returned WP_Error. REST validation failures should remain explicit.

Production checklist

• Define schema contracts for custom REST fields and parameters.
• Run validation before business logic or database writes.
• Reuse shared schema arrays when several callbacks accept the same field.
• Keep sanitization and validation responsibilities distinct.
• Return validation errors cleanly to the API caller.

Related reading

Pair this with the register_rest_route guide for endpoint structure and with the rest_ensure_response article so validation and output normalization stay separate inside the same endpoint lifecycle.

References and further reading

• WordPress Code Reference: rest_validate_value_from_schema()
• WordPress REST API Handbook: JSON Schema
• WordPress Code Reference: register_rest_route()