Skip to main content
RapidDev - Software Development Agency
flutterflow-integrationsFlutterFlow API Call

WooCommerce

Connect FlutterFlow to WooCommerce using the WooCommerce REST API v3 and a FlutterFlow API Group with Basic Auth. Configure read-only product and order GET calls client-side, then route all write operations (create order, update stock) through a Firebase Cloud Function so your consumer key and secret never ship inside the compiled app.

What you'll learn

  • How to generate WooCommerce REST API consumer keys with the correct permissions
  • How to create a FlutterFlow API Group with Basic Auth for the WooCommerce REST API
  • How to add product and order GET calls and map JSON responses to a ListView
  • How to implement pagination using the page and per_page query parameters
  • How to protect write operations (POST/PUT) by proxying them through a Firebase Cloud Function
Book a free consultation
4.9Clutch rating
600+Happy partners
17+Countries served
190+Team members
Intermediate14 min read45 minutesE-commerceLast updated July 2026RapidDev Engineering Team
TL;DR

Connect FlutterFlow to WooCommerce using the WooCommerce REST API v3 and a FlutterFlow API Group with Basic Auth. Configure read-only product and order GET calls client-side, then route all write operations (create order, update stock) through a Firebase Cloud Function so your consumer key and secret never ship inside the compiled app.

Quick facts about this guide
FactValue
ToolWooCommerce
CategoryE-commerce
MethodFlutterFlow API Call
DifficultyIntermediate
Time required45 minutes
Last updatedJuly 2026

Build a WooCommerce Companion App in FlutterFlow

WooCommerce powers over 30% of all online stores worldwide, and many founders want a companion mobile app that shows live order alerts, lets staff browse the catalog, or gives customers a native shopping experience. The WooCommerce REST API v3 is pure JSON — no XML parsing, no custom SDK — which makes it one of the most accessible e-commerce APIs to wire up in FlutterFlow's visual API Calls panel.

The integration uses HTTP Basic Auth: you generate a consumer key and consumer secret in your WordPress admin, Base64-encode the pair as key:secret, and send it as the Authorization header with every request. FlutterFlow makes this easy with its header variable system. The critical detail is the security boundary: consumer keys can carry Read/Write permissions, so if one leaks from an exported Dart bundle, an attacker can place or cancel orders on your store. Read-only GETs (product listings, order history, stock levels) are safe to run from the Flutter client over HTTPS; writes must go through a server-side proxy.

WooCommerce itself is free — the cost is your WordPress hosting. The REST API has no enforced rate limit in WooCommerce core, but your hosting server and database will constrain throughput. Keep per_page at 50 or below on shared hosting, and avoid polling loops that hammer the endpoint. With those guardrails in place, you can build a real-time order management companion app in an afternoon.

Integration method

FlutterFlow API Call

WooCommerce exposes a JSON REST API at /wp-json/wc/v3/ that FlutterFlow calls directly from an API Group using Basic Auth (consumer key + secret encoded as Base64). Read-only catalog and order lookups can run from the Flutter client over HTTPS, while any write operation — creating orders or updating inventory — must be routed through a Firebase Cloud Function to keep the consumer secret off the device.

Prerequisites

  • A WordPress site with the WooCommerce plugin installed and a published product catalog
  • HTTPS enabled on your WordPress store (required for Basic Auth in production)
  • A FlutterFlow project (any plan works for API Calls)
  • A Firebase project if you plan to proxy write operations through a Cloud Function
  • Basic familiarity with FlutterFlow's widget tree and Action Flow Editor

Step-by-step guide

1

Generate WooCommerce REST API consumer keys

Log in to your WordPress admin panel and navigate to WooCommerce in the left sidebar, then click Settings at the bottom of the WooCommerce menu. From the Settings page, click the Advanced tab at the top, then click the REST API link in the sub-navigation bar (it may also appear directly under WooCommerce → Advanced → REST API depending on your WooCommerce version). Click the Add Key button to create a new key pair. Give the key a descriptive name like 'FlutterFlow App', select the WordPress user the key belongs to (usually an Administrator), and choose the Permission level: select Read for a catalog-display app, or Read/Write only if you plan to use the Cloud Function proxy for writes. Click the Generate API Key button. WooCommerce will display your Consumer Key (starting with ck_) and Consumer Secret (starting with cs_) only once — copy both values immediately and save them somewhere secure, like a password manager. You will not be able to view the secret again. Also note your store's base URL, which follows the pattern https://yourstore.com/wp-json/wc/v3.

Pro tip: Generate separate keys for Read and Read/Write permissions and use the Read key for client-side calls. Keep the Read/Write key exclusively in your Firebase Cloud Function environment variables.

Expected result: You have a WooCommerce consumer key (ck_...) and consumer secret (cs_...) saved securely, and you know your store's /wp-json/wc/v3 base URL.

2

Create a WooCommerce API Group in FlutterFlow

Open your FlutterFlow project and click API Calls in the left navigation panel. Click the + Add button at the top of the API Calls panel and select Create API Group from the dropdown. Name the group WooCommerce. In the Base URL field, enter your store's endpoint: https://yourstore.com/wp-json/wc/v3 (replace yourstore.com with your actual domain, and make sure it uses https — HTTP stores block Basic Auth in production). Now you need to add the Authorization header. Click the Headers tab within the API Group editor and click + Add Header. Set the Key to Authorization. For the Value, you need to supply a Base64-encoded string of your consumer key and secret in the format key:secret. The easiest way to generate this is to open your browser's developer console and type btoa('ck_yourkey:cs_yoursecret') — copy the resulting Base64 string. However, do not paste this static string directly into FlutterFlow as a hardcoded literal; instead, click the variable icon next to the header value field and create an App State variable called wcAuthToken. Store the Base64 string in that App State variable and reference it here as FFAppState().wcAuthToken. This keeps the token out of the exported Dart source as a plaintext constant. Click Save to save the API Group.

api_group_config.json
1// API Group configuration (reference)
2{
3 "group_name": "WooCommerce",
4 "base_url": "https://yourstore.com/wp-json/wc/v3",
5 "headers": [
6 {
7 "key": "Authorization",
8 "value": "Basic [Base64(consumer_key:consumer_secret)]"
9 },
10 {
11 "key": "Content-Type",
12 "value": "application/json"
13 }
14 ]
15}

Pro tip: HTTPS is mandatory. If your WordPress site still serves on HTTP, enable SSL first (most hosts offer a free Let's Encrypt certificate). WooCommerce blocks Basic Auth over plain HTTP by design.

Expected result: The WooCommerce API Group appears in your FlutterFlow API Calls panel with the base URL and Authorization header configured.

3

Add product and order GET calls and map JSON to widgets

With the WooCommerce API Group selected in the API Calls panel, click + Add API Call to create your first endpoint. Name it GetProducts and set the Method to GET. In the URL Path field, enter /products. Click the Variables tab and add two variables: page (integer, default 1) and per_page (integer, default 20). In the URL Path, update it to /products?page={{page}}&per_page={{per_page}} — FlutterFlow will substitute these at runtime. Click the Response & Test tab. In the Test section, click Add Request Info if needed, then click the Test button. FlutterFlow will fire the GET request against your store and display the raw JSON response. Click Generate JSON Paths from the response body to auto-generate response fields. Look for paths like $[*].id, $[*].name, $[*].price, $[*].images[0].src, and $[*].stock_quantity. Give each path a friendly name (productId, productName, productPrice, productImage, stockQuantity). Repeat this process to create a second API Call named GetOrders using /orders?page={{page}}&per_page={{per_page}}&status={{status}}, adding a status variable with a default of any. In your FlutterFlow canvas, add a ListView widget to a page. In the widget's Backend Query settings, select API Call, choose your WooCommerce API Group, and pick GetProducts. Map productName to a Text widget, productImage to an Image widget, and productPrice to another Text widget. FlutterFlow will generate a row for each product automatically.

json_paths.txt
1// Example JSON paths for WooCommerce GET /products response
2// Use these in the Response & Test tab → JSON Path fields
3
4// Product list paths
5$[*].id productId
6$[*].name productName
7$[*].price productPrice
8$[*].images[0].src productImage
9$[*].stock_quantity stockQuantity
10$[*].status productStatus
11$[*].categories[0].name categoryName
12
13// Order list paths
14$[*].id orderId
15$[*].status orderStatus
16$[*].total orderTotal
17$[*].billing.first_name customerFirstName
18$[*].billing.last_name customerLastName
19$[*].date_created orderDate

Pro tip: Keep per_page at 20 for initial loads on shared hosting — large page sizes can cause server timeouts. Add a Load More button that increments the page variable to fetch the next batch.

Expected result: Your FlutterFlow page shows a populated ListView of WooCommerce products or orders, with names, prices, and images rendered correctly from the API response.

4

Proxy write operations through a Firebase Cloud Function

Order creation and stock updates require Write permission and must never run from the Flutter client directly, because the consumer secret would be embedded in the compiled app. The correct pattern is to deploy a Firebase Cloud Function that holds the Write-permission consumer key and secret in environment variables, receives a plain authenticated request from FlutterFlow (authenticated with Firebase Auth), signs the WooCommerce Basic Auth header server-side, and forwards the call to your WooCommerce store. In the Firebase Console, navigate to your project and open Cloud Functions. Create a new function named woocommerceProxy. The function reads the consumer key and secret from environment config (set these with Firebase CLI environment variables before deploying — do not hardcode them in the function source). It receives a JSON body from FlutterFlow specifying the endpoint and payload, constructs the Basic Auth header, and forwards the request to your WooCommerce store using node-fetch or axios. In FlutterFlow, create a new API Call inside a separate API Group named WooProxy, pointing at your Cloud Function's HTTPS trigger URL. Add a Firebase Auth JWT header so only authenticated app users can call the proxy. In your Action Flow Editor, trigger this proxy call when the user taps 'Place Order' or 'Update Stock', passing the order details as JSON in the request body.

index.js
1// Firebase Cloud Function: woocommerceProxy/index.js
2const functions = require('firebase-functions');
3const fetch = require('node-fetch');
4
5exports.woocommerceProxy = functions.https.onCall(async (data, context) => {
6 // Reject unauthenticated calls
7 if (!context.auth) {
8 throw new functions.https.HttpsError('unauthenticated', 'Login required');
9 }
10
11 const consumerKey = process.env.WC_CONSUMER_KEY;
12 const consumerSecret = process.env.WC_CONSUMER_SECRET;
13 const storeBase = process.env.WC_STORE_URL; // e.g. https://yourstore.com/wp-json/wc/v3
14
15 const token = Buffer.from(`${consumerKey}:${consumerSecret}`).toString('base64');
16
17 const { endpoint, method, body } = data; // e.g. /orders, POST, {...}
18
19 const response = await fetch(`${storeBase}${endpoint}`, {
20 method: method || 'GET',
21 headers: {
22 'Authorization': `Basic ${token}`,
23 'Content-Type': 'application/json',
24 },
25 body: body ? JSON.stringify(body) : undefined,
26 });
27
28 const result = await response.json();
29 return result;
30});

Pro tip: Set WC_CONSUMER_KEY, WC_CONSUMER_SECRET, and WC_STORE_URL using Firebase environment config before deploying. Never paste these values into the function source code.

Expected result: The Firebase Cloud Function deploys successfully. Calling it from FlutterFlow with an order payload returns the new WooCommerce order object, and no consumer secret is visible in the Flutter app bundle.

5

Add pagination and test on a real device

WooCommerce's REST API paginates using page (1-based) and per_page (max 100, keep ≤50 on shared hosting) query parameters. To implement infinite scroll or a Load More button in FlutterFlow, create an App State variable called currentPage (integer, initial value 1). When the user taps the Load More button, add an Action in the Action Flow Editor: first Update App State to increment currentPage by 1, then fire the GetProducts API Call passing FFAppState().currentPage as the page variable. Append the returned products to a local state list. To reset pagination when a filter changes (e.g., category), add an action that resets currentPage to 1 and clears the product list before firing the first page call. For testing: API Calls that only use FlutterFlow's built-in API Call system (no Custom Actions or Custom Code) run correctly in FlutterFlow's web Run Mode — you can test product listings directly in the browser preview. However, if you add a Custom Action later (for example, to handle file uploads), you will need to test on a physical device or simulator. Always confirm your store's HTTPS certificate is valid before testing; an expired or self-signed certificate will cause connection errors on both web and native builds.

Pro tip: The WooCommerce REST API returns a X-WP-Total header with the total item count and X-WP-TotalPages with the page count. FlutterFlow's API Call headers parser can capture these, letting you hide the Load More button when the user reaches the last page.

Expected result: The app correctly loads additional pages of products or orders when the user scrolls to the bottom or taps Load More, and the page counter increments without resetting the existing list items.

Common use cases

Order management dashboard for store staff

Build a FlutterFlow app that shows new WooCommerce orders in real time, lets staff update order status, and sends push notifications when a high-value order arrives. The app polls GET /orders with a status filter every 30 seconds and routes the status update through a Firebase Cloud Function.

FlutterFlow Prompt

Show me a list of recent WooCommerce orders sorted by newest first, with order status, customer name, and total. Let me tap an order to see its items and update the status.

Copy this prompt to try it in FlutterFlow

Mobile product catalog browser

Create a Flutter app that lets customers browse your WooCommerce catalog, filter by category, and view product details including images and price. Product data is fetched client-side from GET /products with category and search variables. The app uses infinite scroll powered by the per_page and page pagination parameters.

FlutterFlow Prompt

Show a scrollable grid of products from my WooCommerce store with product image, name, and price. Add a category filter at the top and load more products as the user scrolls down.

Copy this prompt to try it in FlutterFlow

Inventory alert app for warehouse staff

Build a FlutterFlow app that flags products whose WooCommerce stock quantity falls below a threshold, displays the SKU and current stock level, and lets a manager trigger a stock update via a Firebase Cloud Function proxy. The app reads stock from GET /products with stock_status and low_stock_amount filters.

FlutterFlow Prompt

Show all WooCommerce products with stock below 10 units, displaying the product name, SKU, and current stock count. Add a button to reorder that sends a notification to the supplier.

Copy this prompt to try it in FlutterFlow

Troubleshooting

401 Unauthorized on every API call even though the consumer key looks correct

Cause: The Base64 encoding is wrong, the key:secret separator colon is missing, or the store is serving over HTTP (which WooCommerce blocks for Basic Auth).

Solution: Regenerate the Base64 string in your browser console using btoa('ck_yourkey:cs_yoursecret') — note the colon between key and secret is required. Confirm your store URL starts with https://. If your store is still HTTP-only, enable SSL before proceeding.

XMLHttpRequest error when testing API calls in FlutterFlow's web Run Mode

Cause: Your WordPress server does not send CORS headers, so the browser blocks the request from the FlutterFlow preview origin. Native iOS/Android builds are not affected because they do not enforce CORS.

Solution: Install the WP CORS plugin or add CORS headers to your WordPress .htaccess or Nginx config to allow the FlutterFlow preview domain. Alternatively, test the API calls directly on a mobile device or emulator where CORS does not apply.

typescript
1# Add to WordPress .htaccess (Apache) above # BEGIN WordPress
2Header set Access-Control-Allow-Origin "*"
3Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
4Header set Access-Control-Allow-Headers "Authorization, Content-Type"

API returns 403 Forbidden on POST /orders but GET /products works fine

Cause: The consumer key was generated with Read-only permissions. Write operations (POST, PUT, DELETE) require a key with Read/Write permission.

Solution: Go to WooCommerce → Settings → Advanced → REST API, find your key, and check its Permission column. If it shows Read, you must delete it and generate a new key with Read/Write permission — you cannot edit an existing key's permissions. Update your Firebase Cloud Function environment variables with the new key and redeploy.

Response is empty or returns fewer products than expected when per_page is set high

Cause: Shared hosting servers often enforce a PHP memory limit or max execution time that causes the WooCommerce endpoint to time out on large queries. per_page=100 on a store with thousands of products can exhaust server memory.

Solution: Reduce per_page to 20 or 50 and rely on pagination. If you need to load large catalogs, consider using WooCommerce's product category endpoints to load one category at a time, or upgrade to a managed WordPress host that provides more PHP memory.

Best practices

  • Store the Base64-encoded auth token in an App State variable, not as a hardcoded string in the API Call header — this keeps it out of the exported Dart source as a plaintext literal.
  • Use separate consumer keys for read-only and read/write operations; only the read-only key ever touches client-side code.
  • Route all POST, PUT, and DELETE calls through a Firebase Cloud Function that holds the write-permission key in environment variables.
  • Always use HTTPS for your WordPress store in production — WooCommerce blocks Basic Auth over plain HTTP by design.
  • Keep per_page at 50 or below to avoid server timeouts on shared hosting; use page-based pagination with a Load More action rather than loading everything at once.
  • Enable WooCommerce REST API logs (WooCommerce → Status → Logs) during development so you can inspect exactly what requests arrive and what errors are returned.
  • Scope your consumer keys to the minimum required resources — if your app only reads products, generate a Read-only key scoped to products rather than a site-wide Write key.
  • Test API calls on a real device or simulator for your final QA pass; web Run Mode CORS restrictions can mask issues that would not appear on native builds.

Alternatives

Frequently asked questions

Can I put the consumer key and secret directly in the FlutterFlow API Call headers?

For read-only keys you can store them in an App State variable and reference them in the header, which keeps them out of the plaintext Dart source. However, a Read/Write key must never go anywhere in the FlutterFlow client — route all write operations through a Firebase Cloud Function that holds the key in server environment variables.

Does this integration work for both iOS and Android?

Yes. The WooCommerce REST API is standard HTTPS JSON, so it works on iOS, Android, and FlutterFlow web builds. CORS is only an issue in the web build if your WordPress server does not send the appropriate headers; native builds are unaffected.

How do I handle WooCommerce webhooks for real-time order notifications?

FlutterFlow apps do not have a public inbound URL, so they cannot receive webhooks directly. Instead, configure WooCommerce to send webhooks to a Firebase Cloud Function, which can write the event to Firestore. Your FlutterFlow app listens to the Firestore collection in real time using FlutterFlow's native Firebase integration and shows a notification when a new document appears.

My WooCommerce store is on a cheap shared host. Are there performance concerns?

Yes. Shared hosts typically have low PHP memory limits and short execution timeouts. Keep per_page at 20–50, avoid parallel API calls to the same store, and cache product data locally in Firestore or Supabase if you need faster catalog browsing. Heavy catalog apps perform much better on a managed WordPress host like WP Engine or Kinsta.

Can RapidDev help me build this WooCommerce companion app?

Yes — if you'd rather skip the Cloud Function setup and security configuration, RapidDev's team builds FlutterFlow integrations like this every week. Book a free scoping call at rapidevelopers.com/contact.

RapidDev

Talk to an Expert

Our team has built 600+ apps. Get personalized help with your project.

Book a free consultation

Integrations are where projects stall

We wire FlutterFlow integrations like this one every week — auth, webhooks, edge cases included. Fixed-price builds from $13K, delivered in 6–10 weeks.

Talk to an integration engineer

We put the rapid in RapidDev

Need a dedicated strategic tech and growth partner? Discover what RapidDev can do for your business! Book a call with our team to schedule a free, no-obligation consultation. We'll discuss your project and provide a custom quote at no cost.