Authentication
The REST API lives under the wplm/v1 namespace
(https://your-site.com/wp-json/wplm/v1/…).
API keys & scopes
Section titled “API keys & scopes”Management endpoints require an API key. Generate one under License Manager → Settings → REST API (or via the API-keys endpoint). Each key has a scope:
| Scope | Allows |
|---|---|
read | GET endpoints. |
write | POST / PUT / DELETE endpoints. |
read_write | Both. |
Keys are stored hashed; the secret is shown once at creation — save it.
HTTP Basic auth
Section titled “HTTP Basic auth”Send the consumer key and secret as HTTP Basic credentials:
curl https://your-site.com/wp-json/wplm/v1/licenses \ -u "ck_xxx:cs_xxx"Write requests additionally require the write (or read_write) scope. The
final allow/deny decision passes through the wplm_rest_request_valid filter, so
you can layer on IP allow-listing or rate limiting.
Public (client-facing) endpoints
Section titled “Public (client-facing) endpoints”validate, activate, deactivate, heartbeat, crl, and public-key are
public — they don’t require an API key, because client software calls them
directly with a license key. Harden them under Settings → Security
(force HTTPS, etc.).
Response envelope
Section titled “Response envelope”Successful responses share a consistent shape:
{ "success": true, "data": { /* resource */ }, "meta": { "total": 42 } }Errors map the error code to the correct HTTP status:
{ "success": false, "code": "machine_limit_exceeded", "message": "Activation limit reached for this license.", "data": { "status": 422 }}