FAQ
Pre-sales and technical answers based on current HeadlessWP Pro plugin behavior and site contracts.
Pre-sales FAQ
What is HeadlessWP Pro?
A WordPress plugin that exposes a hardened, versioned REST API under /headlesswp/v1.
What does it integrate with?
Internal providers include WooCommerce, Restrict Content Pro, AffiliateWP, LearnDash, MemberPress, Easy Digital Downloads, Gravity Forms, Fluent Forms, GiveWP, and FluentBooking.
Does it support API keys?
Yes. Service accounts + API keys are supported with keys hashed at rest, shown once, and scoped.
Does it support bearer tokens?
Yes. Token auth exists behind a feature flag.
Can I disable endpoints?
Yes. Endpoints can be enabled or disabled (for non-protected endpoints), and access mode can be set to Any or API key only.
Technical FAQ
What is the API base?
/headlesswp/v1
What response envelope should clients expect?
Success responses use { data, meta }. Error responses use { error, meta }.
What auth modes are supported?
Cookie auth (browser), Authorization: Bearer <token> (optional), and Authorization: HeadlessWPProKey <token> (optional).
How does CSRF work?
For cookie-authenticated sessions, POST/PATCH/DELETE require X-WP-Nonce unless exempt. The /auth/register route explicitly verifies nonce in controller.
How should I debug production issues?
Use the X-Correlation-Id header and meta.correlationId, then trace requests in Logs, Security events, and Self Test.
Read deeper technical docs
For endpoint details and integration guidance, continue with the API and docs hubs.