REST API overview & authentication
The external REST API exposes the canonical document for automation and AI agents. It shares the same write pipeline as the panel and the bulk importer, so identity and validation rules are identical.
Base URL
Section titled “Base URL”https://example.com/wp-json/octa-editor-api/v1/Authentication
Section titled “Authentication”The API authenticates with Application Passwords, built into WordPress, over HTTP Basic Auth.
curl https://example.com/wp-json/octa-editor-api/v1/post/123 \ --user "username:APPLICATION_PASSWORD"Create an application password under Users → Profile for the account the automation will use. See Installation.
Capabilities decide what’s allowed
Section titled “Capabilities decide what’s allowed”Every route is gated by a contextual capability check, so the account can only read and write what its WordPress role permits. Listing is anti-oracle. A caller without edit_others_posts only sees its own records, and each object is filtered again per item. There is no way to probe for records you can’t access.
Throttling
Section titled “Throttling”Repeated failed Basic Auth attempts are throttled. The API returns HTTP 429 after too many failures, to slow down credential guessing.
Dry-run first
Section titled “Dry-run first”Add "_dry_run": true to any write to preview it with zero database changes. The response lists what would change plus warnings. For automation, also consider "_strict": true, so any warning fails the write instead of silently dropping a value.
Responses
Section titled “Responses”Reads return the canonical document. Writes return the resolved outcome, create vs update and the record ID, along with the warnings list. Anti-cache headers are sent so intermediaries never serve stale documents.
Next, see Endpoints.