Admin Endpoints

Admin endpoints provide programmatic access to all management operations: products, licences, API keys, system statistics, and GDPR privacy tools. All admin endpoints require authentication via WordPress cookie auth or an API key with appropriate permissions.

Note

All admin endpoints are prefixed with /wp-json/wplf/v1/admin/. Authentication is required for every request. See API Key Management for permission levels.

Permission levels

API keys are assigned one of three permission levels. Each level includes the capabilities of all lower levels.

Level	Value	Allowed methods	Description
read	1	GET	List and retrieve products, licences, API keys, and stats.
write	2	GET POST PUT	Create and update products and licences. Includes all read capabilities.
admin	3	GET POST PUT DELETE	Full access including deletion and GDPR privacy operations.

Products

List products

GET /wplf/v1/admin/products

Returns a paginated list of all products. Requires read permission.

Response (200 OK)

[
  {
    "id": 1,
    "name": "JetWoo Builder",
    "slug": "jetwoo-builder",
    "description": "Advanced WooCommerce page builder integration.",
    "current_version": "2.4.1",
    "is_active": true,
    "trial_enabled": true,
    "trial_days": 14,
    "created_at": "2025-06-15T09:00:00Z"
  },
  {
    "id": 2,
    "name": "FormCraft Pro",
    "slug": "formcraft-pro",
    "description": "Drag-and-drop form builder with conditional logic.",
    "current_version": "1.8.0",
    "is_active": true,
    "trial_enabled": false,
    "trial_days": 0,
    "created_at": "2025-09-20T14:30:00Z"
  }
]

Create product

POST /wplf/v1/admin/products

Creates a new product. Requires write permission.

Request example

{
  "name": "SiteGuard Security",
  "slug": "siteguard-security",
  "description": "WordPress security hardening and malware scanning.",
  "homepage_url": "https://example.com/siteguard/",
  "current_version": "1.0.0",
  "requires_wp": "6.2",
  "requires_php": "7.4",
  "trial_enabled": true,
  "trial_days": 7
}

Response (201 Created)

{
  "id": 3,
  "name": "SiteGuard Security",
  "slug": "siteguard-security",
  "created_at": "2026-02-21T11:00:00Z"
}

Get product

GET /wplf/v1/admin/products/{id}

Returns full details for a single product. Requires read permission.

Update product

PUT /wplf/v1/admin/products/{id}

Updates an existing product. Only the fields provided in the request body are modified. Requires write permission.

Delete product

DELETE /wplf/v1/admin/products/{id}

Deletes a product. Products with associated licences cannot be deleted—deactivate them instead by setting is_active to false. Requires admin permission.

Danger

Product deletion is irreversible. If the product has existing licences, the request will be rejected with a 409 Conflict response. Deactivate the product instead.

Licences

List licences

GET /wplf/v1/admin/licenses

Returns a paginated list of licences. Supports filtering by status, product, and search term. Requires read permission.

Query parameters

Parameter	Type	Description
`status`	string	Filter by status: `active`, `expired`, `suspended`, `cancelled`, `trial`.
`product_id`	integer	Filter by product ID.
`search`	string	Search by licence key fragment, customer name, or email.
`page`	integer	Page number (default: 1).
`per_page`	integer	Results per page (default: 20, max: 100).

Request example

curl -H "X-LicenceForge-Key: lf_a1b2c3d4e5f6..." \
  "https://example.com/wp-json/wplf/v1/admin/licenses?status=active&product_id=1&per_page=10"

Response (200 OK)

{
  "data": [
    {
      "id": 42,
      "license_key_masked": "XXXX-XXXX-XXXX-G7H8",
      "product_id": 1,
      "product_name": "JetWoo Builder",
      "customer_name": "John Doe",
      "customer_email": "[email protected]",
      "status": "active",
      "activation_limit": 5,
      "activation_count": 2,
      "expires": "2027-02-21T00:00:00Z",
      "created_at": "2026-02-21T10:00:00Z"
    }
  ],
  "total": 87,
  "page": 1,
  "per_page": 10,
  "total_pages": 9
}

Create licence

POST /wplf/v1/admin/licenses

Creates a new licence. Requires write permission.

Request example

{
  "product_id": 1,
  "customer_name": "Jane Smith",
  "customer_email": "[email protected]",
  "activation_limit": 3,
  "expires": "2027-06-01T00:00:00Z",
  "tier_id": 2
}

Response (201 Created)

{
  "id": 148,
  "license_key": "N3W1-K3Y2-H3R3-F4G5",
  "product_id": 1,
  "status": "active",
  "activation_limit": 3,
  "expires": "2027-06-01T00:00:00Z",
  "created_at": "2026-02-21T11:30:00Z"
}

Warning

The full licence key is only returned in the creation response. It is hashed before storage and cannot be retrieved again. Store it securely or deliver it to the customer immediately.

Get licence

GET /wplf/v1/admin/licenses/{id}

Returns full details for a single licence. The licence key is returned in masked form. Requires read permission.

Update licence

PUT /wplf/v1/admin/licenses/{id}

Updates licence fields such as activation_limit, expires, or status. Requires write permission.

Cancel licence

DELETE /wplf/v1/admin/licenses/{id}

Cancels a licence and deactivates all associated sites. This is a soft delete—the licence record is retained with a cancelled status. Requires admin permission.

Rotate licence key

POST /wplf/v1/admin/licenses/{id}/rotate-key

Generates a new licence key for an existing licence. The old key is immediately invalidated. The new key is returned in the response and cannot be retrieved again. Requires write permission.

Response (200 OK)

{
  "id": 42,
  "new_license_key": "R0T4-T3D1-K3Y2-N3W3",
  "previous_key_prefix": "A1B2C3D4",
  "rotated_at": "2026-02-21T12:00:00Z"
}

List activations

GET /wplf/v1/admin/licenses/{id}/activations

Returns all active site activations for a licence. Requires read permission.

Response (200 OK)

[
  {
    "id": 201,
    "site_url": "https://clientsite.com",
    "server_fingerprint": "d4e5f6a7b8c9",
    "activated_at": "2026-01-15T08:30:00Z",
    "last_checked": "2026-02-20T14:00:00Z"
  },
  {
    "id": 202,
    "site_url": "https://staging.clientsite.com",
    "server_fingerprint": null,
    "activated_at": "2026-02-01T10:00:00Z",
    "last_checked": "2026-02-19T09:15:00Z"
  }
]

API keys

List API keys

GET /wplf/v1/admin/api-keys

Returns all API keys with their metadata (but not the key values). Requires read permission.

Response (200 OK)

[
  {
    "id": 5,
    "label": "CI/CD Pipeline",
    "key_prefix": "lf_a1b2",
    "permissions": "write",
    "product_id": null,
    "last_used_at": "2026-02-20T16:45:00Z",
    "created_at": "2025-11-01T09:00:00Z"
  }
]

Create API key

POST /wplf/v1/admin/api-keys

Creates a new API key. The full key is returned only in this response. Requires admin permission.

Request example

{
  "label": "External Dashboard",
  "permissions": "read",
  "product_id": 1
}

Response (201 Created)

{
  "id": 6,
  "label": "External Dashboard",
  "api_key": "lf_x9y8z7w6v5u4t3s2r1q0p9o8n7m6l5k4",
  "permissions": "read",
  "product_id": 1,
  "created_at": "2026-02-21T12:30:00Z"
}

Revoke API key

DELETE /wplf/v1/admin/api-keys/{id}

Permanently revokes an API key. The key is deleted and cannot be recovered. Requires admin permission.

Response (200 OK)

{
  "deleted": true,
  "id": 6
}

Statistics

Get system statistics

GET /wplf/v1/admin/stats

Returns aggregate statistics about products, licences, and activations. Requires read permission.

Response (200 OK)

{
  "products": {
    "total": 3,
    "active": 3
  },
  "licenses": {
    "total": 412,
    "active": 356,
    "expired": 38,
    "suspended": 7,
    "cancelled": 11,
    "trial": 22
  },
  "activations": {
    "total": 891,
    "active": 743
  },
  "revenue": {
    "period": "last_30_days",
    "total": 12450.00,
    "currency": "USD"
  }
}

Privacy (GDPR)

LicenceForge provides two endpoints for GDPR compliance, allowing you to export or erase all data associated with a customer email address.

Export customer data

POST /wplf/v1/admin/privacy/export

Exports all data associated with a customer email address, including licences, activations, and transaction history. Requires admin permission.

Request example

{
  "email": "[email protected]"
}

Response (200 OK)

{
  "email": "[email protected]",
  "export": {
    "licenses": [
      {
        "id": 42,
        "product": "JetWoo Builder",
        "status": "active",
        "created_at": "2026-02-21T10:00:00Z",
        "activations": 2
      }
    ],
    "total_records": 1,
    "exported_at": "2026-02-21T13:00:00Z"
  }
}

Erase customer data

POST /wplf/v1/admin/privacy/erase

Erases all personal data associated with a customer email address. Licence records are anonymised (email and name are cleared) and all activations are removed. Requires admin permission.

Danger

Data erasure is irreversible. Customer name and email are permanently removed from all associated licence records. Activation records are deleted. The licence keys themselves are retained in hashed form for audit purposes, but are no longer functional.

Request example

{
  "email": "[email protected]"
}

Response (200 OK)

{
  "erased": true,
  "records_affected": {
    "licenses": 1,
    "activations": 2
  },
  "erased_at": "2026-02-21T13:15:00Z"
}