I just started using ACF Fields with a headless WordPress setup, and I’m wondering how I can ensure that data within a custom post type and its field groups are only accessible via the WordPress REST API or GraphQL API with authorization. Is this even possible?
For example, let’s say I create a custom post type to store potential user data for my website, named MyUsers, with fields for username and password.
I plan to use ACF fields primarily as a database rather than displaying them anywhere on my WordPress site. I don’t want this custom post type and its data to be exposed anywhere on the frontend, should be only accessible when queried on the server side and then sent to my own frontend.
So, how can I guarantee that this data remains private and accessible only via authenticated API requests? What’s the best way to achieve this?