Authentication
All MCPWP endpoints require an API key. Pass it in one of two ways:
Header (recommended)
Section titled “Header (recommended)”X-API-Key: mcpwp_YOUR_KEYBearer token
Section titled “Bearer token”Authorization: Bearer mcpwp_YOUR_KEYKey format
Section titled “Key format”MCPWP API keys always start with mcpwp_ followed by 48 hex characters:
mcpwp_a1b2c3d4e5f6...Key scopes
Section titled “Key scopes”Keys are scoped to a role at creation time. The role determines which tool categories are available.
| Role | Tool categories |
|---|---|
admin | All categories |
editor | content, elementor, gutenberg, media, taxonomy, seo |
designer | elementor, gutenberg, media, site |
author | content, media, taxonomy |
Manage keys
Section titled “Manage keys”WP Admin → MCPWP → Setup lists active keys and lets you create, rotate, or revoke them.
Via REST:
# List keyscurl https://YOUR-SITE.com/wp-json/mcpwp/v1/api-keys \ -H "X-API-Key: $ADMIN_KEY"
# Revoke a keycurl -X DELETE https://YOUR-SITE.com/wp-json/mcpwp/v1/api-keys/{id} \ -H "X-API-Key: $ADMIN_KEY"Bypass hook
Section titled “Bypass hook”Plugins can bypass API key validation for specific requests:
add_filter('mcpwp_bypass_api_key_check', function($bypass, $request) { // Return true to skip validation return false;}, 10, 2);