| 开发者 |
sebd86
cocartforwc ajayghaghretiya skunkbad sefid-par mattdabell joshuaiz dmchale JPPdesigns inspiredagency darkchris mohib007 rozaliastoilova ashtarcommunications albertoabruzzo jnz31 douglasjohnson antondrob2 szepeviktor |
|---|---|
| 更新时间 | 2026年7月13日 02:43 |
| PHP版本: | 8.2 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv3 |
| 版权网址: | 版权信息 |
curl -X POST https://your-store.com/wp-json/cocart/v2/cart/add-item \ -H "Content-Type: application/json" \ -d '{"id": "123", "quantity": 1}'
Want to explore before installing? Try a free sandbox →
See the full API reference →
💬 Loved by 1,000+ developers worldwide
Rated ★★★★★ 4.9/5 on WordPress.org.
★★★★★
"An excellent plugin, which makes building a headless WooCommerce experience a breeze. Easy to use, nearly zero setup time." — Harald Schneider ★★★★★ "This plugin works great out of the box for adding products to the cart via API. The code is solid and functionality is as expected, thanks Sebastien!" — Scott Bolinger, Creator of Holler Box ★★★★★ "Thanks for doing such great work with this! Works exactly as expected and CoCart seems to have a nice community around it. The founder seems really devoted and that’s one of the key things for a plugin like this to live on and get the right updates in the future. We just got ourselves the lifetime subscription." — Mighty Group Agency See our full wall of love for more developer testimonials.Why CoCart? WooCommerce’s Store API can be used headless, but it was designed for the Gutenberg block editor ecosystem. Its session model relies on nonces passed via response headers — suited for anonymous single-session shoppers, but the nonce is tied to WordPress's nonce lifecycle and less straightforward to persist across sessions or devices. CoCart is purpose-built for headless from day one: cart sessions identified by a persistent key — no nonces, no cookies — a single unified endpoint set for both product and cart data, and authentication for customers that supports any shop requirement. Features 🚀 Session management that works
More are also in development and look forward to your feedback.Developer tools:
Developers building headless or decoupled WooCommerce storefronts. If you can make HTTP requests and read JSON, you’re ready. No WordPress development experience required — CoCart abstracts the complexity and gives you clean, predictable API responses. Perfect for:
Install WooCommerce and configure your store, then install and activate CoCart. You’re immediately ready to call the API — no additional setup required. Check the installation section for requirements, then follow the API reference to start building.
Nothing. The free community stays fully functional. It covers sessions, authentication, CORS, cart operations, and product queries — everything you need to build a working headless cart. CoCart Plus adds advanced features like coupons, shipping, fees, and rate limiting for when you need them.
No. CoCart runs entirely on your WordPress server. No customer data, cart contents, or store information is ever sent to CoCart’s servers. The plugin collects no analytics without your consent. Full privacy policy →
Plugins that modify backend functionality — payment gateways, shipping, tax, inventory — continue to work. Plugins that only modify the PHP frontend (themes, shortcodes, widgets) won’t apply to the REST API layer, which is expected in a headless setup.
WooCommerce’s Store API can be used headless, but it was designed for the Gutenberg block editor ecosystem. Its session model relies on nonces passed via response headers — suited for anonymous single-session shoppers, but tied to WordPress’s nonce lifecycle and less straightforward to persist across sessions or devices. CoCart is purpose-built for headless: cart sessions identified by a persistent key and authentication that supports any shop requirement.
Headless storefronts are stateless by nature — there’s no browser session to rely on, and concurrent requests are common. CoCart’s session handler is cookie-less, database-stored, and safe for concurrent requests, with full support for both guest and authenticated customers from day one.
Yes — that’s the primary use case CoCart is built for. Enable CORS via the free CORS add-on or manually via the filter documented here.
Yes. CoCart doesn’t block or replace any other API. Once authenticated, your frontend can access CoCart endpoints, WooCommerce endpoints, and any custom endpoints you’ve built — all at the same time.
CoCart does not implement SSO itself — it authenticates customers against WordPress user accounts using Basic Auth or JWT (via add-on). It does not natively speak SAML, OAuth 2.0, or OIDC. That said, CoCart can work alongside SSO in a headless setup. The typical pattern is:
Yes. Install and activate CoCart on each site where you want to use it.
Yes — there are 180+ filters available to customize responses, add fields, or remove data you don’t need.
No — it restricts tax calculation to WooCommerce Blocks and Jetpack only. We don’t recommend it for headless setups. TaxJar for WooCommerce (v3.2.5+) is supported.
Yes. CoCart automatically excludes its API endpoints from page caching, so caching plugins won't interfere with cart sessions or API responses. LiteSpeed Cache is explicitly supported out of the box. Though, some hosts may require manual configuration to exclude CoCart API endpoints.
Each cart is assigned a unique cart key, which your frontend passes as a request header or query parameter on subsequent API calls. This makes sessions fully stateless and safe for concurrent requests — no cookies, no session conflicts. See the session documentation for implementation details.
CoCart runs entirely on your WordPress server — there's no external service, no cloud dependency, and no data leaving your environment. You own your stack.
On the CoCart GitHub repository or in the #bug-report channel of the Discord community. Search first to avoid duplicates.
Check the full FAQ on cocartapi.com or browse the documentation.
[!IMPORTANT] PHP version 8.2 is the minimum requirement to install and use CoCart. PHP 7.4, 8.0, and 8.1 are all past end-of-life/security support so to help manage development resources to maintain CoCart, it will no longer be tested on these versions. Running CoCart on PHP 8.2 not only ensures you are secure but it also improves the performance of the CoCart API. Thank you for your understanding.
If-None-Match header for immediate use.CoCart-Cache response header indicating cache status: HIT, MISS, or SKIP._skip_cache query parameter to bypass caching for individual requests.stale-while-revalidate directive to cacheable routes (products) for improved performance.X-HTTP-Method-Override header if it exists during authentication.Settings show a locked state when controlled by an external filter with a link providing information as to what and where.Bug Fixes
ship_to_different_address is not set, matching WooCommerce checkout behaviour. Shipping packages now also return correctly after a complete address is saved.rest_url_prefix filter is used causing several cloned guest sessions with cart items.WP_Error check after product validation.Last-Modified header in GMT per HTTP spec with more robust date parsing.cocart_deprecated_filter() returning null when the debug log was active, causing callers to receive no value from the deprecation wrapper.cart_item_data and cart_item_key in v1 add item controller.total in session handler cart hash generation.count when database queries return no results in cart counting functions.$per_page in admin plugin search.${var} string interpolation syntax in plugin update screen.cocart_cart_expiring and cocart_cart_expiration filters as needed.Dev note: You will still be warned "Keeping sessions for longer than X days can cause performance issues and larger session tables."Improvements
cocart_upload_file() and cocart_upload_image_from_url() now use a try/finally block to guarantee the upload_dir filter is always removed, even when an exception is thrown during upload.cocart_upload_image_from_url() now uses wp_parse_url() to extract the filename from the image URL, correctly stripping query strings instead of splitting on ?.get_session() using wp_cache_set() instead of wp_cache_add(), which caused stale persistent object cache entries to never be overwritten.get_session() and update_cart() using an uninitialized expiration value on frontend requests, preventing sessions from being cached after a database read.save_data() writing to object cache with a potentially negative TTL when session expiration was stale or unset.update_cart() not syncing the object cache after a database write, causing subsequent reads to return stale cached data.get_cache_expiration() helper to reliably resolve cache expiration across both REST API and frontend contexts.cocart_does_product_allow_price_change filter now defaults to false. Price overrides via the price parameter on cocart/v2/cart/add-item are disabled by default. To restore the previous behaviour, add add_filter( 'cocart_does_product_allow_price_change', '__return_true' ); — or return true conditionally for specific products only.cocart_etag_cart_routes to customize which cart routes support ETag.cocart_etag_product_routes to customize which product routes support ETag.cocart_etag_routes to add ETag support for third-party plugin routes.cocart_cache_max_age to customize cache duration (default: 1 hour).cocart_stale_while_revalidate to customize stale-while-revalidate duration (default: 24 hours).cocart_secure_registered_users deprecated for security — unauthenticated access to registered user carts is now always blocked.sprint_f() typo in database update scheduler (sprintf).Access-Control-Allow-Credentials header correctly.cocart_load_cart_override was used.get_ip_address for better trusted proxy support and better IP address detection with additional headers.is_user_customer function to support additional user roles beyond just customers.cocart_login_permission_callback allows additional authentication checks after basic authorization for the login endpoint.cocart_login_secure_auth_methods determines which authentication methods should skip additional auth checks.cocart_login_query_parameters allows plugins to add additional parameters to the login endpoint.cocart_trusted_proxies allows adding trusted proxy IPs/CIDR for secure IP detection.cocart_ip_headers allows customization of headers used for IP address detection.cocart_login_permission_granted that triggers when login permission is granted for the login endpoint.WP_Error consistently from permission checks.username and password.update_session_timestamp() database query.persistent_cart_update compatibility for WooCommerce v10; only active for versions lower than v10.1.session_exists() and delete_session() to use CoCart's session table.$_REQUEST to $_GET and removed the priority for load_cart_action.initialize_cart_session() and stopped destroying cookies when loading carts.cocart_load_cart_override is no longer used.WooCommerce v10 caused a cache issue due to a change in the many times session data is handled.Improvements
rest_pre_serve_request instead of CoCart_Response which is not used for Products API.Developer note: Cart cache allows for items with custom pricing to be calculated on the native site and not just via the REST API to keep consistent with calculations.Requirements
undefined array key errors with cart session when cart is empty. Solves Issue #533Note: The session expiration's can still be filtered back to the previous values but that would mean it would match the expiration for logged in users.Third Party Support
cocart_cart_expiring added parameter is_user_logged_in() to allow the expiration for logged in users to be filtered.cocart_cart_expiration added parameter is_user_logged_in() to allow the expiration for logged in users to be filtered.cocart_log_entry_name no longer used.cocart_log_entry_version no longer used.cocart_log_entry_source no longer used.cocart_setup_wizard_store_save_next_step_override no longer used.Dev note: Meaning if you have requested that the customer provides the shipping address first before shipping is calculated, then no shipping methods will return until it's provided.Compatibility
BIGINT UNSIGNED to bigint(20) unsigned.t_ before the cart key provided. This matches with WooCommerce session handler where it maybe used by 3rd party plugins or web host configurations to identify if the session is for a guest user.Dev note: This affects only new guest sessions.Compatibility
cocart_get_customer_{field} after value instead of using it only when there is no value returned for a customers field. Replace {field} with the section prefix followed by the field name. e.g. billing_countryDeveloper note: This allows you to then alter values such as the billing country. See example.` add_filter( 'cocart_get_customer_billing_country', function( $value ) { if ( WC()->countries->country_exists( $value ) ) { return WC()->countries->get_countries()[ $value ]; } return $value; }, 10, 1);
* Introduced new filtercocart_get_after_customer_{field-type}_fieldsthat allows you to change the customer fields after they returned. Replace{field-type}with eitherbillingorshipping` for the fields to alter.
v4.3.21 - 20th February, 2025
Improvement
no-store as part of the Cache-Control header for guest users.WP_DEBUG is made sure it is defined before returning extras for developers in the store response.