REST API

LicenceForge exposes a full REST API built on the WordPress REST API infrastructure. Every action available in the admin panel—and several client-only operations—can be performed programmatically through these endpoints.

Base URL

All API endpoints are registered under a single namespace:

/wp-json/wplf/v1/

For a site at https://example.com, the full base URL would be:

https://example.com/wp-json/wplf/v1/

Note

If your WordPress installation uses a custom REST prefix (configured via the rest_url_prefix filter), replace /wp-json/ with your custom prefix.

API categories

The API is divided into two categories, each serving a different audience and requiring different authentication:

Category	Audience	Authentication	Description
Public	Client plugins/themes	API key or none	Client-facing endpoints for licence validation, activation, deactivation, update checks, and downloads. These are the endpoints your distributed plugin or theme calls at runtime.
Admin	Store administrators	Cookie auth or API key	Management endpoints for creating and updating products, licences, and API keys. Used by the WordPress admin panel and any external integrations you build.

Authentication

LicenceForge supports two authentication methods, depending on the context of the request.

When making requests from the WordPress admin panel (or any page where the user is logged in), standard WordPress cookie authentication applies automatically. The REST API nonce is included via the X-WP-Nonce header. This is the default method used by the built-in admin interface.

API key authentication

For external integrations and server-to-server communication, pass an API key in the X-LicenceForge-Key header:

curl -H "X-LicenceForge-Key: lf_a1b2c3d4e5f6..." \
     https://example.com/wp-json/wplf/v1/admin/products

API keys are scoped by permission level (read, write, or admin) and optionally restricted to a specific product. See API Key Management for details on creating and managing keys.

Warning

Never expose API keys in client-side code or public repositories. Keys with write or admin permissions can modify your licence data. Use read-only keys when possible.

Response format

All endpoints return JSON. Successful responses use standard HTTP status codes (200, 201, 204). Error responses follow a consistent structure:

{
  "code": "invalid_license_key",
  "message": "The licence key provided is not valid.",
  "data": {
    "status": 400
  }
}

In this section

Public Endpoints

Licence validation, activation, update checks, downloads, and trial requests.

Admin Endpoints

Product, licence, and API key management. GDPR privacy operations.

API Key Management

Creating, scoping, and revoking API keys. Permission levels and security.

Rate Limiting

Per-IP rate limits, configurable thresholds, and 429 response handling.

Webhooks

Stripe webhook handling, signature verification, idempotency, and retries.