Skip to content

REST API overview & authentication

The external REST API exposes the canonical document for automation and AI agents. It shares the same write pipeline as the panel and the bulk importer, so identity and validation rules are identical.

https://example.com/wp-json/octa-editor-api/v1/

The API authenticates with Application Passwords, built into WordPress, over HTTP Basic Auth.

Terminal window
curl https://example.com/wp-json/octa-editor-api/v1/post/123 \
--user "username:APPLICATION_PASSWORD"

Create an application password under Users → Profile for the account the automation will use. See Installation.

Every route is gated by a contextual capability check, so the account can only read and write what its WordPress role permits. Listing is anti-oracle. A caller without edit_others_posts only sees its own records, and each object is filtered again per item. There is no way to probe for records you can’t access.

Repeated failed Basic Auth attempts are throttled. The API returns HTTP 429 after too many failures, to slow down credential guessing.

Add "_dry_run": true to any write to preview it with zero database changes. The response lists what would change plus warnings. For automation, also consider "_strict": true, so any warning fails the write instead of silently dropping a value.

Reads return the canonical document. Writes return the resolved outcome, create vs update and the record ID, along with the warnings list. Anti-cache headers are sent so intermediaries never serve stale documents.

Next, see Endpoints.