This guide shows how to connect a backend service (such as a server, script, or API) to your WordPress site using Nox App Connect.
This setup uses the Client Credentials grant, which is designed for machine-to-machine communication. No user login is required.
By the end of this guide, your backend service will be able to:
- Authenticate with your WordPress site
- Receive an access token
- Make secure API requests
When to Use This
Use this method when:
- You are connecting a server or backend service
- No user interaction is required
- You want automated or scheduled tasks (e.g., syncing data)
Examples:
- Sync orders from an external system
- Publish posts from a backend service
- Integrate with another API
Requirements
Before starting, make sure:
- Nox App Connect is installed and configured
- The API is enabled
- You have administrator access
Step 1: Enable Client Credentials Grant
- Go to App Connect → Settings → Grant Types
- Enable Client Credentials
Expected Result
- The plugin allows server-to-server authentication
Step 2: Create a Backend Client
- Go to App Connect → Clients
- Click Add New Client
Configure the following:
- Name: Example “Backend Service”
- Grant Types: Select Client Credentials
- Client Type: Confidential (required)
- Access Mode: Start with restricted
Step 3: Assign a Service User
Client Credentials does not use a logged-in user. Instead, it uses a WordPress service user.
How to set it:
- Select a user in Client Credentials User
- This user’s permissions define what the token can do
Example
If the user can:
- Edit posts → the API can edit posts
- Publish content → the API can publish content
Step 4: Configure REST Route Allowlist
This is critical for security. The client must explicitly define which API routes it can access.
Format
METHOD /wp-json/path
Examples
GET /wp-json/wp/v2/posts
POST /wp-json/wp/v2/posts
GET /wp-json/wp/v2/users/me
You can also use wildcards:
GET /wp-json/wp/v2/posts/*
Important Notes
- Requests must match both:
- The route allowlist
- WordPress permissions
- If a route is not listed, access is denied
Step 5: Save the Client
After saving, you will receive:
- Client ID
- Client Secret
Store these securely. Your backend will use them to authenticate.
Step 6: Request an Access Token
Your backend service must request a token from the API.
Example Request
curl -X POST "https://your-site.com/wp-json/app-connect/v1/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-u "CLIENT_ID:CLIENT_SECRET" \
--data-urlencode "grant_type=client_credentials"
Expected Response
{
"token_type": "Bearer",
"access_token": "...",
"expires_in": 3600,
"granted_rest_routes": [
"GET /wp-json/wp/v2/posts"
]
}
Step 7: Use the Access Token
Include the token in your API requests:
curl "https://your-site.com/wp-json/wp/v2/posts" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Expected Result
- The request succeeds if:
- The route is allowlisted
- The service user has permission
How It Works (Behind the Scenes)
When your backend requests a token:
- The plugin validates the client ID and secret
- It checks the allowed grant types
- It assigns the configured service user
- It creates a token with:
- User permissions
- Allowed REST routes
- The token is returned and can be used immediately
Security Best Practices
- Keep your client secret private
- Use HTTPS only
- Limit allowed REST routes (do not use broad wildcards unless needed)
- Use restricted access mode instead of full access
- Rotate credentials periodically
Common Issues
“Unauthorized Client”
- Client Credentials not enabled globally or on the client
“Invalid Client”
- Incorrect client ID or secret
“Forbidden Request”
- Route not in allowlist
- Service user lacks permission
Example Use Case
Automated Content Publisher
- A backend service generates content
- It authenticates using Client Credentials
- It sends a POST request to
/wp-json/wp/v2/posts - WordPress creates the post