API Authentication v2.1

Securely authenticate your requests to the Wp Admin API using Bearer tokens. All endpoints require valid API keys scoped to your account.

Authentication Overview

Wp Admin uses Bearer token authentication. Every API request must include your API key in the Authorization HTTP header. Tokens are account-scoped and can be restricted to specific resources or actions.

ℹ️

Important: Never expose your API keys in client-side code, public repositories, or browser-accessible scripts. Always use server-side proxying for frontend integrations.

Managing API Keys

Generate, rotate, and revoke API keys from your Wp Admin Dashboard under Settings → API Access. Each key includes:

  • Unique identifier and secret token
  • Expiration date (optional)
  • Scope restrictions (read/write/admin)
  • IP allowlisting (enterprise only)

Usage Examples

Include your API key in the request header as shown below. Replace YOUR_API_KEY with your actual key.

cURL 
curl https://api.wpadmin.com/v2/sites \
  -H "Authorization: Bearer wa_live_sk_8f3a9c2d1e4b5f6a7c8d9e0f1a2b3c4d" \
  -H "Content-Type: application/json"
JavaScript 
const response = await fetch('https://api.wpadmin.com/v2/sites', {
  method: 'GET',
  headers: {
    'Authorization': `Bearer wa_live_sk_8f3a9c2d1e4b5f6a7c8d9e0f1a2b3c4d`,
    'Content-Type': 'application/json'
  }
});

const data = await response.json();
console.log(data);
PHP 
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://api.wpadmin.com/v2/sites");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "Authorization: Bearer wa_live_sk_8f3a9c2d1e4b5f6a7c8d9e0f1a2b3c4d",
    "Content-Type: application/json"
]);

$response = curl_exec($ch);
$data = json_decode($response, true);
curl_close($ch);
Python 
import requests

url = "https://api.wpadmin.com/v2/sites"
headers = {
    "Authorization": "Bearer wa_live_sk_8f3a9c2d1e4b5f6a7c8d9e0f1a2b3c4d",
    "Content-Type": "application/json"
}

response = requests.get(url, headers=headers)
data = response.json()
print(data)

Security Best Practices

  • Rotate keys regularly — We recommend changing API keys every 90 days
  • Use scopes — Restrict keys to minimum required permissions
  • Enable IP allowlisting — Limit access to known server addresses
  • Monitor usage — Review API logs for unusual activity patterns
  • Never commit keys — Use environment variables or secret managers
⚠️

Rate Limits: Free accounts are limited to 100 requests/minute. Professional plans allow 1,000 req/min. Enterprise plans offer custom limits with dedicated infrastructure.

Error Handling

The API returns standard HTTP status codes. Authentication-related errors include:

Status Meaning Action
401 Unauthorized Missing or invalid API key. Verify your token and permissions.
403 Forbidden Key lacks required scope. Check endpoint permissions in Dashboard.
429 Too Many Requests Rate limit exceeded. Implement exponential backoff and retry.
🚫

Token Expiry: API keys older than 1 year are automatically deactivated. Rotate proactively to avoid service interruptions.