Skip to content

Authentication

The REST API lives under the wplm/v1 namespace (https://your-site.com/wp-json/wplm/v1/…).

Management endpoints require an API key. Generate one under License Manager → Settings → REST API (or via the API-keys endpoint). Each key has a scope:

ScopeAllows
readGET endpoints.
writePOST / PUT / DELETE endpoints.
read_writeBoth.

Keys are stored hashed; the secret is shown once at creation — save it.

Send the consumer key and secret as HTTP Basic credentials:

Terminal window
curl https://your-site.com/wp-json/wplm/v1/licenses \
-u "ck_xxx:cs_xxx"

Write requests additionally require the write (or read_write) scope. The final allow/deny decision passes through the wplm_rest_request_valid filter, so you can layer on IP allow-listing or rate limiting.

validate, activate, deactivate, heartbeat, crl, and public-key are public — they don’t require an API key, because client software calls them directly with a license key. Harden them under Settings → Security (force HTTPS, etc.).

Successful responses share a consistent shape:

{ "success": true, "data": { /* resource */ }, "meta": { "total": 42 } }

Errors map the error code to the correct HTTP status:

{
"success": false,
"code": "machine_limit_exceeded",
"message": "Activation limit reached for this license.",
"data": { "status": 422 }
}