Identify the requester
Requests may come from a WordPress user, API key, application password, MCP client, Cloud Gateway connection or webhook system.
LemonX connects WordPress with AI providers, MCP clients, REST API integrations, Cloud Gateway services, translation workflows, indexing systems and developer automations. That power requires a clear authentication and permission model.
Authentication in LemonX is designed to answer three questions before any action runs:
WordPress-native · Permission-aware · Preview-first · Built for AI-safe automation
LemonX authentication protects access to developer APIs, MCP tools, AI-powered workflows, cloud-connected features, license services, translation queues, indexing actions, content previews and write operations inside WordPress.
Because LemonX can help AI systems read, generate, translate, optimize and update WordPress content, authentication must go beyond simple login. It needs to combine identity, role, capability, product entitlement, workflow type, action sensitivity and auditability.
Requests may come from a WordPress user, API key, application password, MCP client, Cloud Gateway connection or webhook system.
Each request should be checked against WordPress roles, capabilities, LemonX module settings and product-level entitlements.
Reading content, generating a preview and applying changes should be treated as different permission levels.
Sensitive actions should be recorded for debugging, accountability and security review.
Different workflows require different levels of trust. A logged-in editor creating a draft, a server-to-server REST API integration, a Claude MCP session and a Cloud Gateway request should not be treated the same way.
LemonX authentication should be designed as a layered model: Identity → Authentication → Permission → Entitlement → Action Safety → Audit Log
LemonX first needs to understand the identity behind the request.
Why it matters: A content editor may be allowed to create drafts but not change MCP settings. A translator may preview translations but not publish pages. An agency account may manage client reports but not billing. An MCP client may read content but need confirmation before applying edits.
After identity is known, LemonX verifies that the request is legitimate. The method depends on the integration type.
Authentication proves identity. Permission decides access. LemonX workflows should respect WordPress capabilities and add product-specific permission controls where needed.
Some LemonX features may depend on product activation, license state, module status or Pro entitlements.
Not every action has the same risk. LemonX should treat actions differently based on their impact.
Why it matters: Low-risk actions can use lighter checks. High-risk actions should require stronger permissions, explicit confirmation and activity logging.
Important actions should leave a trace. This is especially important for agencies, enterprise teams and AI-driven workflows.
When a user is already logged into WordPress, LemonX admin screens and browser-based actions can use the current WordPress session and nonce validation.
Nonces help verify that browser-based requests come from an authorized admin screen or user action. They are especially useful for AJAX and REST requests triggered from LemonX admin UI.
WordPress application passwords allow external systems to authenticate as a specific WordPress user. This makes them useful for REST API integrations, custom dashboards and backend automations.
Authorization: Basic base64(username:application_password)
API keys can provide a dedicated way for external systems to access selected LemonX workflows without relying only on normal user sessions. API keys should be scoped, revocable and connected to specific permissions.
content.readcontent.previewcontent.applyaeo.analyzeaeo.indexing.submitverto.queueverto.applymcp.logs.readreports.readcloud.usage.readBearer tokens can be used when an integration needs a token-based authorization flow. Tokens should be short-lived or revocable and should include clear scopes.
Authorization: Bearer YOUR_ACCESS_TOKEN
MCP clients need a security model that understands both the authenticated WordPress user and the AI tool session. LemonX MCP authorization should control which tools are visible, which tools are callable and which actions require preview or apply confirmation.
Cloud Gateway authentication is used when LemonX connects to cloud services for licensing, entitlements, AI routing, usage tracking, updates or advanced features.
When LemonX sends webhook events to external systems, the receiving system should verify that the event came from LemonX and was not modified in transit.
LemonX should avoid treating all authenticated users as equal. A secure AI workflow depends on role-based and capability-based permission design.
| Level | Description | Typical Access |
|---|---|---|
| Viewer | Can inspect and summarize data | Read-only tools, reports |
| Contributor | Can create drafts and suggestions | Draft creation, preview generation |
| Editor | Can edit existing content | Content preview and selected apply tools |
| Publisher | Can publish approved content | Apply and publish actions |
| SEO Manager | Can run SEO and AEO workflows | Analysis, metadata, schema, indexing |
| Translator | Can manage translation workflows | Translation queue, preview and apply |
| Developer | Can access integration settings | API, hooks, logs, diagnostics |
| Administrator | Can manage all LemonX settings | Full configuration and sensitive actions |
| Agency Owner | Can manage client-level workflows | Multi-site reports, licenses, users |
| Enterprise Admin | Can enforce security and policy rules | Advanced permissions and governance |
| Action Type | Risk Level | Recommended Minimum Role |
|---|---|---|
| Read site identity | Low | Viewer |
| Read content | Low | Viewer |
| Generate summary | Low | Viewer |
| Create draft | Medium | Contributor |
| Generate SEO suggestions | Medium | SEO Manager |
| Create preview update | Medium | Editor |
| Queue translation | Medium | Translator |
| Submit indexing request | Medium | SEO Manager |
| Apply approved content update | High | Editor |
| Publish content | High | Publisher |
| Apply translation | High | Translator or Editor |
| Modify site settings | High | Administrator |
| Change MCP tool permissions | High | Administrator or Developer |
| Manage licenses | High | Administrator or Agency Owner |
| Create API keys | High | Administrator or Developer |
| Delete content | Critical | Administrator |
| Change user permissions | Critical | Administrator |
| Disable security controls | Critical | Administrator |
Scopes define what an API key, token, MCP session or integration can do. A scope should be specific enough to limit risk but broad enough to support useful workflows.
For AI-powered WordPress workflows, preview-first design is one of the most important security patterns. It allows LemonX to separate generation from execution.
The AI or integration retrieves the current page, post, SEO field or translation state.
The AI creates a proposed update based on the user request and site context.
LemonX returns a preview with before/after differences, warnings and affected resources.
A qualified user reviews and approves the proposed update.
LemonX applies the approved change and logs the action.
Why it matters: AI output can be useful but should not automatically overwrite production content. Preview-first workflows make AI powerful without removing human control.
Example: A logged-in administrator changes LemonX settings.
Example: An agency dashboard pulls AEO reports from client sites.
Example: Claude proposes an update to a WordPress landing page.
Example: An external system sends new product pages to LemonX Verto for translation.
Example: LemonX Pro verifies entitlement before using a cloud-connected feature.
Example: LemonX sends a translation completed event to an external automation system.
Certain WordPress resources are more sensitive than normal content. LemonX authentication should make it easy to protect them from accidental AI actions or over-broad API access.
API keys should be treated like passwords. They can connect external systems to your LemonX-powered WordPress site, so they should be scoped, monitored and revocable.
MCP authentication is different from normal API authentication because the user is not only connecting a system — they are allowing an AI agent to call tools. This means LemonX should authenticate the user, authorize the session and restrict the tools available to the AI client.
Step 1: User authorizes connection — A WordPress user initiates or approves the MCP connection.
Step 2: LemonX verifies site identity — The MCP client receives clear site identity so users know which WordPress site is connected.
Step 3: LemonX loads allowed tools — Available tools are based on user role, module settings and product entitlement.
Step 4: AI calls tools — The AI client can call read, preview or apply tools based on permission.
Step 5: Sensitive actions require confirmation — Write actions should use preview-first workflows.
Step 6: Actions are logged — Tool calls, previews and applied changes should be stored for review.
MCP Security Recommendation: Do not expose every tool to every AI client. Start with read-only access, then enable preview tools, and only allow apply tools for trusted users and workflows.
LemonX Pro and Cloud Gateway workflows may connect your WordPress site with cloud services for licensing, advanced AI routing, updates, usage tracking, entitlements and premium features. Cloud Gateway authentication should verify both the site and the plan before allowing cloud-connected actions.
Webhooks are useful for automation, but they must be verified. Any system receiving LemonX webhook events should confirm that the event came from LemonX and was not replayed or modified.
Give each user, key, token or MCP session only the access it needs.
Do not treat content reading and content writing as the same permission.
Homepage, pricing, checkout, account and legal pages should require stronger approval.
API keys, webhook secrets and cloud tokens should be rotated when they may be exposed.
Never place API keys, cloud tokens or provider keys in frontend JavaScript.
Record API key usage, MCP apply actions, license changes, cloud requests and permission updates.
All external API, webhook and cloud requests should use HTTPS.
Do not trust user input, AI output or external payloads without validation and sanitization.
Test MCP write tools, migration, translation automation and custom integrations on staging first.
Remove unused API keys, disabled webhooks, old application passwords and inactive MCP sessions.
Goal: An agency wants to show SEO, translation and license status for client sites.
Goal: An editor wants AI to improve blog posts before review.
Goal: A translator needs to queue, preview and apply translations.
Goal: A site owner wants Claude to update page copy safely.
Goal: A developer needs to debug license and cloud usage issues.
LemonX authentication helps developers connect AI, APIs, MCP clients, webhooks and cloud services to WordPress without giving up control.
Before an AI agent edits a page, before an API triggers a translation, before a webhook starts an automation, and before a cloud feature runs — LemonX should know who is requesting it, what they can do, and whether the action should be previewed first.