API Tokens
Scoped API tokens for REST API access — create tokens with read, operational, full, or agent scope.
Create tokens from the API Tokens screen in the admin panel. Each token has a name, scope, optional expiry, and is SHA-256 hashed at rest. Tokens are accepted via X-FSWA-Token header, Authorization: Bearer, or ?api_token= query parameter. Token management itself always requires a WordPress admin session.
Scopes
read — GET endpoints only. operational — read + toggle webhooks, retry/replay logs, execute queue jobs. full — operational + create, update, delete webhooks, schemas, logs; reveals stored auth secrets. agent — same write access as full, but can never reveal a webhook's auth_header or any Credentials Vault secret. Intended for AI assistants.
/ Related