API Authentication

Securely authenticate your requests to the Wp Admin API. We support API Keys for server-to-server communication and OAuth 2.0 for delegated user access.

Overview

The Wp Admin API requires authentication for all requests. Never expose your secret keys in client-side code, public repositories, or frontend applications. All API endpoints expect authentication via the Authorization header.

ℹ️ Production Ready Always use environment variables to store credentials. Wp Admin automatically rotates keys that haven't been used in 90 days and sends advance warnings to your registered admin email.

Authentication Methods

1. API Key (Bearer Token)

Recommended for backend services, cron jobs, and server-to-server integrations. Generate keys from your Wp Admin Dashboard → API Keys.

cURL

curl "https://api.wpadmin.com/v2/sites" \
  -H "Authorization: Bearer wp_live_sk_8f3k29d84j2k39f82j3k9f82j3k9f82" \
  -H "Content-Type: application/json"

2. OAuth 2.0 (User Delegation)

Use OAuth 2.0 when your application needs to perform actions on behalf of a Wp Admin user. This follows the standard Authorization Code Flow with PKCE.

Endpoint	Method	Description
`/oauth/authorize`	GET	User authorization prompt
`/oauth/token`	POST	Exchange code for access/refresh tokens
`/oauth/revoke`	POST	Revoke active tokens

Required Headers

Every API request must include the following headers:

Header	Type	Required	Description
`Authorization`	`string`	Yes	Bearer token prefixed with `Bearer`
`X-Wp-Version`	`string`	No	Target WordPress major version (e.g., `6.4`)
`Idempotency-Key`	`uuid`	No	Prevents duplicate mutations on network retry

Code Examples

PHP (WordPress Plugin Context)

PHP

<?php
function wpadmin_get_site_info($site_id) {
    $api_key = get_option('wpadmin_api_key');
    $url = "https://api.wpadmin.com/v2/sites/$site_id";

    $response = wp_remote_get($url, [
        'headers' => [
            'Authorization' => "Bearer $api_key",
            'Content-Type' => 'application/json'
        ]
    ]);

    return json_decode(wp_remote_retrieve_body($response), true);
}

JavaScript (Node.js)

JavaScript

const apiKey = process.env.WPADMIN_API_KEY;

async function createBackup(siteId) {
  const res = await fetch(`https://api.wpadmin.com/v2/sites/${siteId}/backups`, {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
      'Content-Type': 'application/json',
      'Idempotency-Key': crypto.randomUUID()
    },
    body: JSON.stringify({ scope: 'full', storage: 's3' })
  });

  return res.json();
}

Security Best Practices

Restrict API key permissions to read-only unless write access is strictly necessary.
Use environment variables or secret managers (AWS Secrets Manager, HashiCorp Vault, etc.).
Enable IP allowlisting for server keys in the dashboard settings.
Rotate keys quarterly and monitor the /v2/logs/auth endpoint for unauthorized access attempts.
Never commit keys to version control. Use .gitignore and pre-commit hooks.

⚠️ Key Exposure If you suspect your API key has been compromised, revoke it immediately from the dashboard. Wp Admin will invalidate the token globally within 2 minutes and notify all associated admins.

Rate Limiting & Errors

Authentication endpoints are rate-limited to 10 requests per second per key. Standard endpoints follow a sliding window of 1000 requests per 15 minutes.

Status Code	Meaning	Action Required
`401`	Unauthorized	Check token validity & permissions
`403`	Forbidden	Key lacks required scope/permission
`429`	Too Many Requests	Implement exponential backoff
`400`	Bad Request	Invalid header format or malformed payload

🔑 Next Steps Once authenticated, explore our resource endpoints. Start with Site Management or view Webhook Configuration for event-driven architectures.