WPOrchestrix / Documentation
Log In

Authentication

WPSentinel supports two authentication methods. Both use the Authorization header.

Method 1: API Tokens (Recommended for Scripts)

API tokens are long-lived credentials managed in your account settings. They don't expire unless revoked.

Creating a Token

  1. Navigate to Settings → API
  2. Click Create an API Token
  3. Copy the token immediately (it won't be shown again in full)

Using API Tokens

Include the token in the Authorization header with the token scheme:

curl -H "Authorization: token YOUR_API_TOKEN" \
  https://wporchestrix.com/api/v1/sites

Method 2: JWT Authentication (Recommended for Apps)

JWT provides short-lived access tokens (15 minutes) with a refresh token flow (7 days). This is ideal for frontend applications and mobile apps.

Step 1: Obtain Tokens

curl -X POST https://wporchestrix.com/api/v1/jwt \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]", "password": "your_password"}'

Response:

{
  "access_token": "eyJhbGciOiJIUzI1NiJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiJ9...",
  "token_type": "Bearer",
  "expires_in": 900
}

Step 2: Use the Access Token

curl -H "Authorization: Bearer ACCESS_TOKEN" \
  https://wporchestrix.com/api/v1/sites

Step 3: Refresh When Expired

When the access token expires, use the refresh token to get new tokens:

curl -X POST https://wporchestrix.com/api/v1/jwt/refresh \
  -H "Content-Type: application/json" \
  -d '{"refresh_token": "YOUR_REFRESH_TOKEN"}'

Revoking Tokens

To invalidate a token (e.g., on logout), send it to the revoke endpoint:

curl -X POST https://wporchestrix.com/api/v1/jwt/revoke \
  -H "Authorization: Bearer ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"token": "TOKEN_TO_REVOKE"}'

Two-Factor Authentication

If the user has 2FA enabled, include otp_attempt in the login request:

{
  "email": "[email protected]",
  "password": "your_password",
  "otp_attempt": "123456"
}

Comparison

Feature API Tokens JWT
Expiry Never (until revoked) 15 min (access) / 7 days (refresh)
Header format Authorization: token VALUE Authorization: Bearer VALUE
Best for Scripts, CI/CD, server-to-server Web apps, mobile apps
Setup Generate in UI Login via API
Revocation Delete in UI Call revoke endpoint

Code Examples

Ruby

require "net/http"
require "json"

# JWT login
uri = URI("https://wporchestrix.com/api/v1/jwt")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = uri.scheme == "https"

request = Net::HTTP::Post.new(uri, "Content-Type" => "application/json")
request.body = {email: "[email protected]", password: "secret"}.to_json
response = http.request(request)
tokens = JSON.parse(response.body)

# Use access token
sites_uri = URI("https://wporchestrix.com/api/v1/sites")
request = Net::HTTP::Get.new(sites_uri)
request["Authorization"] = "Bearer #{tokens["access_token"]}"
response = http.request(request)

Python

import requests

# JWT login
response = requests.post("https://wporchestrix.com/api/v1/jwt", json={
    "email": "[email protected]",
    "password": "secret"
})
tokens = response.json()

# Use access token
sites = requests.get("https://wporchestrix.com/api/v1/sites", headers={
    "Authorization": f"Bearer {tokens['access_token']}"
})

JavaScript

// JWT login
const response = await fetch("https://wporchestrix.com/api/v1/jwt", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ email: "[email protected]", password: "secret" })
});
const tokens = await response.json();

// Use access token
const sites = await fetch("https://wporchestrix.com/api/v1/sites", {
  headers: { "Authorization": `Bearer ${tokens.access_token}` }
});