wp_remote_post response body is protected

The Problem

It's not about the response body being "protected". But you're not getting the expected response data because the request body was incomplete — i.e. it did not contain the data in $args (e.g. AppId).

Because $args is the request body; so it should be passed to wp_remote_post() like this:

$response = wp_remote_post( 'https://www.apiurl.com?APIKEY='."$api_key".'', array(    'body' => $args) );

See https://codex.wordpress.org/Function_Reference/wp_remote_post#Parameters

The Fixed Code

(Re-indented for clarity; and there were also other changes)

// Request body.$body = array(    'LocationId' => $loc_id,    'AppId'      => $app_id);$response = wp_remote_post( 'https://www.apiurl.com?APIKEY='."$api_key".'', array(    'body' => $body) );// Response body.$body = wp_remote_retrieve_body( $response );// On success (i.e. `$body` is a valid JSON string), `$responceData` would be an// `ARRAY`.$responceData = ( ! is_wp_error( $response ) ) ? json_decode( $body, true ) : null;var_dump( $responceData );

Additional Note

Here, $responceData would be an array because you set the second parameter to true:

$responceData = json_decode(wp_remote_retrieve_body( $response ), TRUE );

So if you wanted $responceData to be an object, then simply omit the second parameter:

$responceData = json_decode(wp_remote_retrieve_body( $response ) );//$responceData = json_decode(wp_remote_retrieve_body( $response ), false ); // equivalent to above

See the PHP manual for json_decode() for further details.