WP Assist REST API endpoints
The WP Assist WordPress plugin works by registering custom REST API endpoints on your WordPress site. These endpoints follow the standard WordPress REST API architecture and are secured using your site's unique API key. The WP Assist app communicates exclusively through these endpoints — no direct database access, no SSH, and no admin credentials are ever required.
How the REST API architecture works
When you send a message to WP Assist in the chat, the AI determines what action to take and calls the appropriate endpoint on your WordPress site. All requests include your API key in the X-WPAssist-Key header for authentication. The WordPress plugin validates the key before processing any request.
What the endpoints support
The WP Assist plugin registers endpoints that support:
- Reading content — fetching the content of pages, posts, and custom post types
- Updating content — saving changes to page and post content, titles, and ACF fields
- Reading SEO data — fetching focus keywords, meta descriptions, and SEO scores from Yoast SEO or Rank Math
- Updating SEO data — writing new focus keywords and meta descriptions to Yoast SEO or Rank Math fields
- Content status — changing post status between published and draft
- Site information — listing available pages, posts, and post types
Standard WordPress REST API: The WP Assist plugin is built on the standard WordPress REST API infrastructure. This means it works with any WordPress setup and respects existing WordPress user roles and permissions. No custom database tables are created.
Security
All endpoints require a valid X-WPAssist-Key header. Requests without a valid key are rejected with a 401 Unauthorised response. The plugin does not expose any unauthenticated endpoints. For more detail on how authentication works, see the Authentication article.