Maintenance Service
Varun DubeyBuddyPress BuddyPress Tutorials Web Designing

REST API for BuddyPress: Building Mobile-Ready Community Features

BuddyPress ships with a full REST API that exposes members, groups, activity, messages, and notifications as JSON endpoints. This means you can build native mobile apps, single-page applications, or third-party integrations that interact with your BuddyPress community programmatically, without scraping HTML or building custom AJAX handlers.

This developer guide covers the BuddyPress REST API architecture, authentication methods, key endpoints, and practical examples for building mobile-ready community features.

BuddyPress REST API Overview

The BuddyPress REST API follows the same conventions as the WordPress REST API. All endpoints live under /wp-json/buddypress/v1/ and return JSON responses. The API supports standard HTTP methods: GET for reading, POST for creating, PUT/PATCH for updating, and DELETE for removing resources.

Available endpoint groups:

  • /buddypress/v1/members, User profiles, avatars, cover images
  • /buddypress/v1/activity, Activity stream entries
  • /buddypress/v1/groups, Groups, group members, group settings
  • /buddypress/v1/messages, Private message threads
  • /buddypress/v1/notifications, User notifications
  • /buddypress/v1/friends, Friend connections and requests
  • /buddypress/v1/xprofile, Extended profile fields and data

Authentication

Public endpoints (member listings, public activity) work without authentication. For user-specific actions (posting activity, sending messages, managing groups), you need authenticated requests.

Application Passwords (Recommended)

WordPress 5.6+ includes Application Passwords, per-app credentials that don’t expose the user’s main password:

  1. Go to Users > Profile > Application Passwords.
  2. Enter an app name (e.g., “Mobile App”) and click Add New Application Password.
  3. Copy the generated password.
  4. Use HTTP Basic Auth with the username and application password:
curl -u "username:xxxx xxxx xxxx xxxx" \
  https://yoursite.com/wp-json/buddypress/v1/activity

JWT Authentication

For mobile apps, JWT (JSON Web Tokens) provides a better flow. Install the JWT Authentication for WP REST API plugin:

# Get a token
curl -X POST https://yoursite.com/wp-json/jwt-auth/v1/token \
  -d '{"username":"user","password":"pass"}' \
  -H "Content-Type: application/json"

# Use the token
curl https://yoursite.com/wp-json/buddypress/v1/activity \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"

JWT tokens are stateless, expire after a configurable period, and work well with React Native, Flutter, and other mobile frameworks.

Key Endpoints in Practice

Fetching the Activity Feed

GET /wp-json/buddypress/v1/activity?per_page=20&page=1&type=activity_update

Response:
[
  {
    "id": 1234,
    "user_id": 5,
    "component": "activity",
    "type": "activity_update",
    "content": { "rendered": "<p>Just completed the advanced course!</p>" },
    "date": "2026-02-25T10:30:00",
    "user_avatar": { "full": "https://..." },
    "comment_count": 3,
    "favorite_count": 7
  }
]

Filter by component (groups, friends), type (activity_update, new_member), or user (user_id=5).

Posting an Activity Update

POST /wp-json/buddypress/v1/activity
Content-Type: application/json
Authorization: Bearer YOUR_TOKEN

{
  "content": "Sharing my project progress with the community!",
  "component": "activity",
  "type": "activity_update"
}

Listing Groups

GET /wp-json/buddypress/v1/groups?per_page=10&orderby=last_activity&order=desc

Response:
[
  {
    "id": 42,
    "name": "WordPress Developers",
    "description": { "rendered": "A group for WP devs" },
    "status": "public",
    "total_member_count": 156,
    "avatar_urls": { ... }
  }
]

Sending a Private Message

POST /wp-json/buddypress/v1/messages
Content-Type: application/json
Authorization: Bearer YOUR_TOKEN

{
  "recipients": [12],
  "subject": "Question about the project",
  "message": "Hey, I had a question about the API integration..."
}

Managing Friend Connections

# Send friend request
POST /wp-json/buddypress/v1/friends
{ "friend_id": 15 }

# Accept friend request
PUT /wp-json/buddypress/v1/friends/15

# List friends
GET /wp-json/buddypress/v1/friends?user_id=5

Building a Mobile App: Architecture

A typical mobile app architecture with BuddyPress REST API:

  • Mobile frontend: React Native, Flutter, or Swift/Kotlin
  • API layer: BuddyPress REST API + WordPress REST API
  • Authentication: JWT tokens stored securely on device
  • Push notifications: Firebase Cloud Messaging triggered by BuddyPress hooks on the server
  • Media uploads: WordPress media REST API for avatar and image uploads

React Native Example: Activity Feed

import React, { useEffect, useState } from 'react';
import { FlatList, Text, View, Image } from 'react-native';

const ActivityFeed = ({ token, siteUrl }) => {
  const [activities, setActivities] = useState([]);

  useEffect(() => {
    fetch(`${siteUrl}/wp-json/buddypress/v1/activity?per_page=20`, {
      headers: { 'Authorization': `Bearer ${token}` }
    })
      .then(res => res.json())
      .then(data => setActivities(data));
  }, []);

  return (
    <FlatList
      data={activities}
      keyExtractor={item => item.id.toString()}
      renderItem={({ item }) => (
        <View style={{ padding: 16 }}>
          <Image source={{ uri: item.user_avatar?.full }} 
                 style={{ width: 40, height: 40, borderRadius: 20 }} />
          <Text>{item.content?.rendered?.replace(/<[^>]*>/g, '')}</Text>
        </View>
      )}
    />
  );
};

Push Notifications with BuddyPress

BuddyPress doesn’t include push notifications natively, but you can trigger them from the server when community events happen:

// In your custom plugin
add_action( 'bp_activity_posted_update', 'send_push_on_mention', 10, 3 );
function send_push_on_mention( $content, $user_id, $activity_id ) {
    // Extract @mentions from content
    $mentioned_users = bp_activity_find_mentions( $content );
    
    foreach ( $mentioned_users as $user_id => $username ) {
        // Send via Firebase Cloud Messaging
        send_fcm_notification( $user_id, 'You were mentioned in an activity update' );
    }
}

Performance Considerations

  • Pagination: Always use per_page and page parameters. Never fetch all records at once.
  • Field filtering: Use the _fields parameter to request only the fields you need: ?_fields=id,content,user_id,date
  • Caching: Cache API responses on the mobile client with a TTL of 30-60 seconds for activity feeds, longer for profiles.
  • Server-side caching: Use REST API caching plugins like WP REST Cache to reduce database queries.
  • Rate limiting: Implement rate limiting to prevent abuse of authenticated endpoints.

Frequently Asked Questions

Is the BuddyPress REST API stable?

Yes. The BP REST API has been part of BuddyPress core since version 5.0 and follows WordPress REST API versioning. Breaking changes are rare and announced in advance.

Can I extend the API with custom endpoints?

Yes. Register custom endpoints using register_rest_route() in the buddypress namespace, or create your own namespace for custom functionality.

Do I need BuddyPress on the mobile app?

No. BuddyPress runs on the WordPress server only. The mobile app communicates with it purely through the REST API, no PHP or WordPress code runs on the device.