Setting Up API Authentication

PersonalizeWP v3.1 introduces API key authentication to enable secure access to PersonalizeWP's REST API endpoints from external domains or headless implementations. This feature allows you to use PersonalizeWP's personalisation capabilities when your frontend is hosted separately from your WordPress installation.

Overview

The API authentication system generates unique, secure tokens that verify requests are coming from authorised domains. This prevents unauthorised access to your personalisation data whilst enabling legitimate cross-domain implementations such as headless WordPress sites, mobile applications, or multi-domain setups.

By default, PersonalizeWP restricts API access to your main WordPress site URL. The authentication system allows you to extend this access to additional domains through manually generated API keys, each associated with a specific URL.

Prerequisites

Before setting up API authentication:

  • PersonalizeWP Pro must be installed and activated
  • You must have WordPress administrator access
  • The target domain where you plan to use the API key must be accessible and configured
  • Your server must support secure HTTPS connections for API requests

Accessing Authentication Settings

  1. Navigate to your WordPress dashboard
  2. Go to PersonalizeWP settings
  3. Click on the "Authentication" tab
  4. The Authentication settings panel displays your current API key configuration

Understanding the Authentication Interface

The Authentication settings page provides:

  • Overview text: Explains that API keys are required for cross-domain usage
  • API Keys table: Lists all generated API keys with their associated URLs
  • Add New Key button: Initiates the API key creation process
  • Actions column: Provides options to revoke existing keys

Creating API Keys

Basic API Key Creation

  1. In the Authentication settings, click "Add New Key"
  2. Enter the full URL where you plan to use PersonalizeWP (e.g., https://frontend.mysite.com)
  3. Click "Generate Key" to create the authentication token
  4. The system displays the generated API key once - copy and store it securely
  5. The new key appears in the API Keys table with the associated URL

API Key Security Features

Single Display: API keys are shown only once during creation for security purposes. If you lose an API key, you must revoke the existing key and generate a new one.

URL Association: Each API key is tied to a specific URL domain. The key will only work for requests originating from that domain.

Unique Generation: Each API key is cryptographically unique and tied to your specific WordPress installation.

Managing API Keys

Viewing Active Keys

The API Keys table shows:

  • URL: The domain associated with each API key
  • Actions: Options to revoke individual keys

Active keys are listed by their associated URL, but the actual key values are not displayed for security reasons.

Revoking API Keys

To revoke an API key:

  1. Locate the key in the API Keys table
  2. Click the "Revoke" action for that key
  3. Confirm the revocation when prompted
  4. The key is immediately invalidated and removed from the table

Important: Revoking an API key immediately breaks any applications or sites using that key. Ensure you have updated applications with new keys before revoking existing ones.

Advanced Configuration Options

Multiple Domain Management

You can create multiple API keys for different domains or applications:

  • Each domain requires its own unique API key
  • There is no limit to the number of API keys you can generate
  • Each key operates independently and can be revoked without affecting others

Key Rotation Strategy

For enhanced security, consider implementing key rotation:

  1. Generate a new API key for the same domain
  2. Update your application to use the new key
  3. Test that the new key works correctly
  4. Revoke the old API key once migration is complete

Development and Production Keys

Use separate API keys for development and production environments:

  • Create a key for your staging/development domain
  • Create a separate key for your production domain
  • This allows independent management and testing without affecting live sites

Troubleshooting

API Key Not Working

If your API key isn't providing access:

  • Verify the key was copied correctly during the single display
  • Check that you're making requests from the exact URL associated with the key
  • Ensure requests include the proper authentication headers
  • Confirm the key hasn't been revoked in the Authentication settings

Cannot Create API Key

If API key generation fails:

  • Verify you have WordPress administrator privileges
  • Check that PersonalizeWP Pro is properly licensed and activated
  • Ensure the target URL is properly formatted (including https://)
  • Try refreshing the page and attempting creation again

URL Mismatch Issues

If you receive URL mismatch errors:

  • Verify the request is coming from the exact domain specified during key creation
  • Check for subdomain differences (www vs non-www)
  • Ensure protocol matches (http vs https)
  • Consider creating additional keys for different URL variations if needed

Key Management Problems

If you're having trouble managing existing keys:

  • Refresh the Authentication settings page to ensure you're seeing current data
  • If keys appear to be missing, they may have been revoked by another administrator
  • Check with other site administrators who might have access to PersonalizeWP settings

Lost API Key

If you've lost an API key:

  • API keys cannot be retrieved after initial creation
  • Generate a new API key for the same domain
  • Update your application with the new key
  • Revoke the lost key to maintain security

The API authentication system provides a secure foundation for extending PersonalizeWP's capabilities beyond your main WordPress domain whilst maintaining strict access controls and security standards.

Still need help? Contact Us Contact Us