Authentication — signed requests

Every request from WP Assist to your WordPress site is cryptographically signed rather than carrying your raw API key. WP Assist uses your site's secret to compute an HMAC-SHA256 signature over the request, and the plugin verifies that signature before processing anything. The secret itself never travels over the network, and captured requests can't be replayed or tampered with. No WordPress login credentials are involved.

How it works

1. When you connect a WordPress site, a unique key is generated in the form wph_live_<keyId>.<secret>. The keyId is a public handle; the secret is the signing key.
2. You paste the full key into Settings → WP Assist in your WordPress admin. On our side we store only the keyId plus the secret encrypted at rest — never the plaintext key.
3. For each request, WP Assist sends signature headers instead of the raw key:
   X-WPAssist-KeyId, X-WPAssist-Timestamp, X-WPAssist-Nonce, and X-WPAssist-Signature (an HMAC-SHA256 of the method, path, body, timestamp and nonce).
4. The plugin recomputes the signature with its stored secret and compares them in constant time. It also rejects requests whose timestamp is more than 60 seconds old and any nonce it has already seen — so a captured request can't be replayed.
5. Once verified, the plugin handles the request as a dedicated least-privilege agent user that can only edit content — never manage options, themes, plugins, or files.

Security best practices

• Keep your key private — treat it like a password. Save it when it's shown; for security we can't display it again, only regenerate a new one.
• Don't commit your key to a public code repository or share it in support tickets.
• If you believe your key has been exposed, regenerate it immediately from your WP Assist dashboard. The old key stops working at once.
• The plugin rejects every request without a valid signature — no unauthenticated endpoints are exposed.

Related articles

• API key setup
• REST API endpoints
• Generating your API key