If you are wondering what is broken: WooCommerce is blocking your REST API request at the permissions check. It does not think this request is allowed to view product categories, so it refuses to list them.
Why this error shows up
Every WooCommerce REST endpoint has a permission check. When you call /wc/v3/products/categories, WooCommerce:
- Authenticates the request (API keys, OAuth, Application Password, cookies, etc).
- Looks at the linked WordPress user and their capabilities.
- Decides whether that user can view those resources.
If that check fails, you get:
woocommerce_rest_cannot_view with message Sorry, you cannot list resources.
In real sites this usually comes from one of these:
- Missing or wrong authentication (no keys, wrong keys, wrong auth method).
- The API key is tied to a user role without the right WooCommerce caps.
- Your server strips the
Authorization header so Basic Auth never reaches WordPress.
- Local or HTTP only setups where WooCommerce refuses Basic Auth unless HTTPS is correctly detected.
- Bad permalinks or REST routing issues on older or misconfigured installs.
Step 1: Check if the endpoint works at all
Before debugging auth, make sure the REST endpoint itself is alive.
Do this:
- Log in to your WordPress admin as an administrator in a normal browser tab.
- In the same browser, open:
https://your-site.com/wp-json/wc/v3/products/categories
Possible results:
- You see a JSON array of categories - good. The endpoint and WooCommerce are fine. Your external client auth is wrong.
- You see the same “Sorry, you cannot list resources” as an admin - your user role or caps are broken.
- You see a 404 or HTML page - fix REST routing and permalinks first.
Step 2: Fix your API keys and authentication
If the endpoint worked in the browser while logged in but fails from Postman, a mobile app, or another service, it is almost always an auth issue.
2.1 Generate proper API keys
- In WordPress, go to WooCommerce → Settings → Advanced → REST API.
- Click Add key.
- Choose a user with the Administrator or Shop manager role.
- Set Permissions to Read (or Read / Write if you also create or update data).
- Click Generate API key and save the Consumer key and Consumer secret.
2.2 Call the API correctly
Over HTTPS, the simplest method is HTTP Basic Auth with the consumer key and secret.
From a terminal:
curl -u ck_your_key:cs_your_secret \
"https://your-site.com/wp-json/wc/v3/products/categories"
From Postman or your app:
- Set Authorization type to Basic Auth.
- Username =
ck_... (your consumer key).
- Password =
cs_... (your consumer secret).
If you now get a 200 and JSON data, the problem was simply missing or misused auth.
2.3 Fallback: query string auth (if headers are stripped)
Some servers or proxies strip the Authorization header. In that case, WooCommerce never sees your Basic Auth at all.
As a test, try:
curl "https://your-site.com/wp-json/wc/v3/products/categories?consumer_key=ck_your_key&consumer_secret=cs_your_secret"
If this works but Basic Auth does not, your server is dropping the header. You can either:
- Keep using the query string method for this integration, or
- Ask your host to pass through the
Authorization header (often a web server config tweak).
Step 3: Fix user role and capabilities
If you get “Sorry, you cannot list resources” even when logged in as the same user in the browser, the user linked to your keys does not have the right capabilities.
3.1 Confirm who owns the API keys
- Go to WooCommerce → Settings → Advanced → REST API.
- Find the key you are using and check the User column.
- Click that user and confirm their role (Administrator or Shop manager are safest).
3.2 Undo overly strict role edits
If you use a role editor plugin, it can easily remove WooCommerce caps that the REST API expects.
- Temporarily deactivate any role or capability editor plugin.
- Test the endpoint again as an admin in the browser.
If it now returns data, your custom role tweaks were blocking access. Re enable the role editor and make sure the key owner has at least:
readmanage_woocommerceview_woocommerce_reports (not always required, but common in access checks)
After fixing caps, re test the same /wc/v3/products/categories call.
Step 4: Check HTTPS, Authorization header and local setups
On local or unusual hosting, WooCommerce sometimes cannot see that the request is secure or authenticated, even when you send credentials.
4.1 Make sure you are using the right scheme
- Use HTTPS in your API URL if your site has SSL:
https://your-site.com/wp-json/wc/v3/products/categories
- In Settings → General, confirm both WordPress Address and Site Address use
https://.
If you are on localhost without SSL and keep seeing auth issues, you may need to configure your local server so WooCommerce treats requests as secure and allows Basic Auth, or use an HTTPS tunnel (like ngrok) for testing.
4.2 Confirm that the Authorization header arrives
If you control the server, you can quickly check whether the Authorization header is present at PHP.
- Create a temporary PHP file in your web root, for example
headers-test.php.
- Inside it, add:
<?php
header( 'Content-Type: text/plain' );
print_r( apache_request_headers() );
- Call that file with Basic Auth from your client.
If you do not see an Authorization header there, your web server is stripping it. Talk to your host about enabling Authorization pass through or use the query string method for your WooCommerce API keys.
Step 5: Verify permalinks and REST routing
WooCommerce REST API requires pretty permalinks. If routing is broken, your auth tests may give you confusing results.
Do this:
- Go to Settings → Permalinks.
- Choose anything except Plain. A common choice is Post name.
- Click Save changes even if nothing changed.
- Visit:
https://your-site.com/wp-json/and confirm you see a JSON index, not a 404.
- Try your WooCommerce endpoint again.
If /wp-json/ itself fails, fix that first with your host. The WooCommerce API builds on top of the core REST API.
If you are still getting “Sorry, you cannot list resources”
At this point you should have:
- Confirmed the endpoint works when logged in as an admin (or not).
- Generated fresh API keys for an admin or shop manager user.
- Tested both Basic Auth and query string auth.
- Verified permalinks and that
/wp-json/ works.
If you still see the same 403 error, I will need a bit more context to help you pinpoint the blocker.
Scroll down, click Continue Chat, and send me:
- The exact URL you are calling (mask the domain if you prefer).
- How you authenticate:
- Consumer key and secret with Basic Auth, or
- Consumer key and secret in the query string, or
- WordPress username and Application Password.
- The role of the user linked to your API keys.
- Whether this is production, staging, or local development.
Verification
You will know it is fixed when:
GET /wp-json/wc/v3/products/categories returns a 200 with JSON category data.- Your integration (mobile app, script, or third party service) can call the same endpoint and receive data.
- The WooCommerce REST API is reachable at other endpoints like
/wc/v3/products?per_page=1 using the same credentials.
- Your error responses no longer show
woocommerce_rest_cannot_view or “Sorry, you cannot list resources.”
Still stuck?
For AI help
Hit Continue Chat below and I will help you inspect your request, keys, roles and server setup until we find the exact reason WooCommerce is blocking that endpoint.
For expert human help
Scroll down to the contact form below. Enter your name, email, and WordPress needs. Atiba will get back to you as soon as possible.