Lead with security: "Every custom endpoint gets a permission_callback — never return true blindly. I validate and sanitise every argument, use current_user_can for role checks, and return WP_Error with proper status codes on failure."
Register custom endpoints with register_rest_route() in the rest_api_init hook. Key parameters: namespace, route, methods, callback, and permission_callback. The permission_callback is critical — it must return true or a WP_Error to control access. Common patterns: checking current_user_can() for authenticated endpoints, using nonces for cookie-authenticated requests, and validating/sanitising input with validate_callback and sanitize_callback on args. Strong candidates discuss: registering custom fields on existing endpoints with register_rest_field(), authentication methods (cookies, application passwords, JWT), and rate limiting for public endpoints.
Tests API development skills in WordPress. Candidates who omit the permission_callback or return true for all routes are creating security vulnerabilities. Those who understand proper authentication and input validation build secure APIs.