Products
Solutions
Pricing
Compare
Resources
Developers
Support
LemonX Developers · Authentication

Secure every AI, API and automation workflow before it touches WordPress.

LemonX connects WordPress with AI providers, MCP clients, REST API integrations, Cloud Gateway services, translation workflows, indexing systems and developer automations. That power requires a clear authentication and permission model.

Authentication in LemonX is designed to answer three questions before any action runs:

Who is making the request? · What are they allowed to do? · Should this action be read-only, preview-only or allowed to apply changes?

WordPress-native · Permission-aware · Preview-first · Built for AI-safe automation

What does LemonX authentication protect?

LemonX authentication protects access to developer APIs, MCP tools, AI-powered workflows, cloud-connected features, license services, translation queues, indexing actions, content previews and write operations inside WordPress.

Because LemonX can help AI systems read, generate, translate, optimize and update WordPress content, authentication must go beyond simple login. It needs to combine identity, role, capability, product entitlement, workflow type, action sensitivity and auditability.

Identify the requester

Requests may come from a WordPress user, API key, application password, MCP client, Cloud Gateway connection or webhook system.

Verify permissions

Each request should be checked against WordPress roles, capabilities, LemonX module settings and product-level entitlements.

Separate read, preview and apply

Reading content, generating a preview and applying changes should be treated as different permission levels.

Log important actions

Sensitive actions should be recorded for debugging, accountability and security review.

Authentication model

LemonX uses layered authentication, not one-size-fits-all access.

Different workflows require different levels of trust. A logged-in editor creating a draft, a server-to-server REST API integration, a Claude MCP session and a Cloud Gateway request should not be treated the same way.

LemonX authentication should be designed as a layered model: Identity → Authentication → Permission → Entitlement → Action Safety → Audit Log

Layer 1

Identity

Who is making the request?

LemonX first needs to understand the identity behind the request.

Possible Identities
  • WordPress administrator
  • WordPress editor
  • SEO manager
  • Translator
  • Agency user
  • Application password user
  • API key owner
  • MCP client session
  • Cloud Gateway service
  • Webhook endpoint
  • External integration

Why it matters: A content editor may be allowed to create drafts but not change MCP settings. A translator may preview translations but not publish pages. An agency account may manage client reports but not billing. An MCP client may read content but need confirmation before applying edits.

Layer 2

Authentication

How is the request verified?

After identity is known, LemonX verifies that the request is legitimate. The method depends on the integration type.

Common Methods
  • WordPress logged-in session
  • WordPress nonce
  • Application password
  • API key
  • Bearer token
  • Cloud Gateway token
  • MCP authorization context
  • Webhook signature
  • OAuth-like future flows
Layer 3

Permission

What is the requester allowed to do?

Authentication proves identity. Permission decides access. LemonX workflows should respect WordPress capabilities and add product-specific permission controls where needed.

Examples
  • Can read posts
  • Can edit posts
  • Can publish posts
  • Can manage options
  • Can trigger indexing
  • Can manage translations
  • Can apply MCP previews
  • Can access reports
  • Can manage licenses
  • Can configure Cloud Gateway
  • Can create webhooks
Layer 4

Entitlement

Is this feature available under the active plan?

Some LemonX features may depend on product activation, license state, module status or Pro entitlements.

Examples
  • AEO analysis requires LemonX AEO enabled.
  • Translation queue requires LemonX Verto enabled.
  • MCP tools require LemonX MCP enabled.
  • Cloud Gateway actions require LemonX Pro or a valid cloud entitlement.
  • Advanced reports may require a Pro or Agency plan.
  • Usage-heavy AI workflows may require available quota.
Layer 5

Action Safety

How risky is this action?

Not every action has the same risk. LemonX should treat actions differently based on their impact.

Action Types
  • Read-only
  • Draft creation
  • Preview generation
  • Metadata update
  • Translation queue
  • Indexing submission
  • Content apply
  • Publish action
  • Delete action
  • Settings change
  • Permission change
  • License change

Why it matters: Low-risk actions can use lighter checks. High-risk actions should require stronger permissions, explicit confirmation and activity logging.

Layer 6

Audit Log

What happened, when, and by whom?

Important actions should leave a trace. This is especially important for agencies, enterprise teams and AI-driven workflows.

Recommended Log Fields
  • Action type
  • User or token identity
  • Source integration
  • Target resource
  • Timestamp
  • IP or request context
  • Tool or endpoint used
  • Before / after reference
  • Preview ID
  • Result status
  • Error details when failed
Authentication methods

Choose the right authentication method for each workflow.

Method 1

WordPress Logged-in Session

Best for admin dashboard workflows.

When a user is already logged into WordPress, LemonX admin screens and browser-based actions can use the current WordPress session and nonce validation.

Best For
  • LemonX admin UI
  • Settings pages
  • Manual content workflows
  • Admin-side previews
  • Dashboard actions
  • Logged-in user controls
Strengths
  • Native to WordPress.
  • Works well for admin screens.
  • Can use WordPress nonces.
  • Tied to user roles and capabilities.
  • Simple for interactive workflows.
Limitations
  • Not ideal for server-to-server integrations.
  • Requires a browser session.
  • Should not be used for external backend systems.
Method 2

WordPress Nonce

Protect browser-based requests from unauthorized actions.

Nonces help verify that browser-based requests come from an authorized admin screen or user action. They are especially useful for AJAX and REST requests triggered from LemonX admin UI.

Best For
  • Admin AJAX actions
  • Settings updates
  • Preview creation from dashboard
  • Apply buttons
  • Interactive UI workflows
Recommended Use
  • Use nonce checks for state-changing browser requests.
  • Pair nonce checks with capability checks.
  • Do not rely on nonce alone as a full permission model.
Method 3

WordPress Application Passwords

Best for trusted server-to-server API access.

WordPress application passwords allow external systems to authenticate as a specific WordPress user. This makes them useful for REST API integrations, custom dashboards and backend automations.

Best For
  • External dashboards
  • Agency tools
  • Internal systems
  • Scheduled scripts
  • Server-to-server REST API integrations
  • Trusted automation workflows
Strengths
  • WordPress-native.
  • Can be revoked per application.
  • Tied to a specific user.
  • Works well with REST API requests.
Limitations
  • Permissions depend on the user account.
  • Should be scoped carefully.
  • Should not be shared across multiple unrelated systems.
  • Not ideal for public frontend apps.
Authorization: Basic base64(username:application_password)
Method 4

API Keys

Best for dedicated LemonX integrations.

API keys can provide a dedicated way for external systems to access selected LemonX workflows without relying only on normal user sessions. API keys should be scoped, revocable and connected to specific permissions.

Best For
  • Custom backend integrations
  • Automation platforms
  • Agency portals
  • Client dashboards
  • Internal tools
  • Controlled data access
Recommended Use
  • Use separate keys for separate systems.
  • Avoid all-access keys.
  • Rotate keys periodically.
  • Disable unused keys.
  • Log key usage.
  • Limit high-risk scopes.
Recommended API Key Fields
  • Key name
  • Owner
  • Created date
  • Last used date
  • Allowed scopes
  • Allowed IPs
  • Expiration date
  • Status
  • Revocation control
content.readcontent.previewcontent.applyaeo.analyzeaeo.indexing.submitverto.queueverto.applymcp.logs.readreports.readcloud.usage.read
Method 5

Bearer Tokens

Best for token-based API workflows.

Bearer tokens can be used when an integration needs a token-based authorization flow. Tokens should be short-lived or revocable and should include clear scopes.

Best For
  • API integrations
  • Cloud-connected services
  • Temporary access flows
  • Internal tools
  • Future OAuth-like workflows
Recommended Use
  • Expiration time
  • Refresh logic where appropriate
  • Scope validation
  • Token revocation
  • IP or origin restrictions
  • Activity logging
Authorization: Bearer YOUR_ACCESS_TOKEN
Method 6

MCP Authorization Context

Best for AI agent sessions.

MCP clients need a security model that understands both the authenticated WordPress user and the AI tool session. LemonX MCP authorization should control which tools are visible, which tools are callable and which actions require preview or apply confirmation.

Best For
  • Claude Desktop
  • Codex
  • Cursor
  • MCP-compatible clients
  • AI agent workflows
  • Preview-before-apply editing
Key Questions
  • Which WordPress user authorized this MCP session?
  • Which tools are enabled for this user?
  • Can the agent only read, or can it preview changes?
  • Can it apply changes directly?
  • Are some pages protected?
  • Are logs enabled for this session?
  • Is the site identity verified?
Recommended MCP Flow
  1. Authenticate user
  2. Verify site identity
  3. Load allowed tools
  4. Run read or preview tool
  5. Generate preview
  6. Ask for confirmation
  7. Apply approved change
  8. Log action
Method 7

Cloud Gateway Token

Best for LemonX Pro and cloud-connected features.

Cloud Gateway authentication is used when LemonX connects to cloud services for licensing, entitlements, AI routing, usage tracking, updates or advanced features.

Best For
  • License verification
  • Product entitlements
  • Cloud AI gateway
  • Usage and quota tracking
  • Secure updates
  • Premium features
  • Agency or enterprise plans
Recommended Use
  • Site-bound token
  • License validation
  • Plan entitlement checks
  • Quota verification
  • Request signing
  • Usage logging
  • Token rotation
  • Revocation support
Method 8

Webhook Signatures

Best for verifying event delivery.

When LemonX sends webhook events to external systems, the receiving system should verify that the event came from LemonX and was not modified in transit.

Best For
  • Webhook event delivery
  • External automation
  • Client portals
  • Security logging
  • Workflow triggers
  • Third-party system updates
Recommended Use
  • Shared signing secret
  • Timestamp header
  • HMAC signature
  • Replay protection
  • Event ID deduplication
  • HTTPS endpoint requirement
Permission model

Separate what users can read, preview, apply and manage.

LemonX should avoid treating all authenticated users as equal. A secure AI workflow depends on role-based and capability-based permission design.

LevelDescriptionTypical Access
ViewerCan inspect and summarize dataRead-only tools, reports
ContributorCan create drafts and suggestionsDraft creation, preview generation
EditorCan edit existing contentContent preview and selected apply tools
PublisherCan publish approved contentApply and publish actions
SEO ManagerCan run SEO and AEO workflowsAnalysis, metadata, schema, indexing
TranslatorCan manage translation workflowsTranslation queue, preview and apply
DeveloperCan access integration settingsAPI, hooks, logs, diagnostics
AdministratorCan manage all LemonX settingsFull configuration and sensitive actions
Agency OwnerCan manage client-level workflowsMulti-site reports, licenses, users
Enterprise AdminCan enforce security and policy rulesAdvanced permissions and governance
Action matrix

Recommended permission separation by action type.

Action TypeRisk LevelRecommended Minimum Role
Read site identityLowViewer
Read contentLowViewer
Generate summaryLowViewer
Create draftMediumContributor
Generate SEO suggestionsMediumSEO Manager
Create preview updateMediumEditor
Queue translationMediumTranslator
Submit indexing requestMediumSEO Manager
Apply approved content updateHighEditor
Publish contentHighPublisher
Apply translationHighTranslator or Editor
Modify site settingsHighAdministrator
Change MCP tool permissionsHighAdministrator or Developer
Manage licensesHighAdministrator or Agency Owner
Create API keysHighAdministrator or Developer
Delete contentCriticalAdministrator
Change user permissionsCriticalAdministrator
Disable security controlsCriticalAdministrator
Scopes

Use scopes to limit API and tool access.

Scopes define what an API key, token, MCP session or integration can do. A scope should be specific enough to limit risk but broad enough to support useful workflows.

Content Scopes

content.readcontent.searchcontent.draft.createcontent.previewcontent.applycontent.publishcontent.delete

AEO Scopes

aeo.readaeo.analyzeaeo.schema.generateaeo.links.suggestaeo.indexing.submitaeo.reports.read

Code Scopes

code.templates.readcode.pages.generatecode.sections.generatecode.knowledge.readcode.ocr.processcode.migration.preview

Verto Scopes

verto.languages.readverto.translation.queueverto.translation.previewverto.translation.applyverto.seo.generateverto.reports.read

MCP Scopes

mcp.tools.readmcp.tools.callmcp.previews.readmcp.previews.applymcp.logs.readmcp.permissions.manage

Pro Scopes

pro.license.readpro.license.managepro.entitlements.readpro.usage.readpro.cloud.statuspro.cloud.manage

Reports Scopes

reports.readreports.generatereports.export

Webhook Scopes

webhooks.readwebhooks.createwebhooks.updatewebhooks.deletewebhooks.test
Preview-first security

AI should suggest first, not overwrite first.

For AI-powered WordPress workflows, preview-first design is one of the most important security patterns. It allows LemonX to separate generation from execution.

Step 1: Read current content

The AI or integration retrieves the current page, post, SEO field or translation state.

Step 2: Generate proposed change

The AI creates a proposed update based on the user request and site context.

Step 3: Return preview

LemonX returns a preview with before/after differences, warnings and affected resources.

Step 4: Confirm approval

A qualified user reviews and approves the proposed update.

Step 5: Apply change

LemonX applies the approved change and logs the action.

Why it matters: AI output can be useful but should not automatically overwrite production content. Preview-first workflows make AI powerful without removing human control.

Workflow examples

Recommended authentication by workflow.

Workflow 1

Admin dashboard action

Example: A logged-in administrator changes LemonX settings.

Recommended Authentication
  • WordPress session
  • Nonce validation
  • Capability check
  • Optional activity log
Required Checks
  • Is the user logged in?
  • Does the user have manage_options or required LemonX capability?
  • Is the nonce valid?
  • Is the module enabled?
Workflow 2

External SEO dashboard

Example: An agency dashboard pulls AEO reports from client sites.

Recommended Authentication
  • Application password or scoped API key
  • Read-only AEO and report scopes
  • Site identity check
  • Request logging
Required Checks
  • Is the token valid?
  • Does the token allow report access?
  • Does the site have AEO enabled?
  • Does the license allow report access?
Workflow 3

AI agent edits a page

Example: Claude proposes an update to a WordPress landing page.

Recommended Authentication
  • MCP authorization context
  • WordPress user capability check
  • Tool permission check
  • Preview-before-apply
  • Apply approval
  • Activity log
Required Checks
  • Is the MCP session authorized?
  • Can the user read this page?
  • Can the user generate previews?
  • Can the user apply updates?
  • Is this page protected?
  • Was the preview approved?
Workflow 4

Translation queue automation

Example: An external system sends new product pages to LemonX Verto for translation.

Recommended Authentication
  • Scoped API key or application password
  • Verto queue scope
  • Translation entitlement check
  • Task logging
Required Checks
  • Is Verto enabled?
  • Is the language active?
  • Can this content type be translated?
  • Is there available quota?
  • Should translation require human review?
Workflow 5

Cloud Gateway request

Example: LemonX Pro verifies entitlement before using a cloud-connected feature.

Recommended Authentication
  • Cloud Gateway token
  • License validation
  • Site identity
  • Plan entitlement
  • Usage quota check
Required Checks
  • Is the license valid?
  • Is the site authorized?
  • Does the plan include this feature?
  • Is quota available?
  • Should usage be recorded?
Workflow 6

Webhook event delivery

Example: LemonX sends a translation completed event to an external automation system.

Recommended Authentication
  • Webhook signing secret
  • HMAC signature
  • Timestamp validation
  • HTTPS endpoint
  • Event ID deduplication
Required Checks
  • Is the signature valid?
  • Is the timestamp recent?
  • Has this event already been processed?
  • Is the endpoint active?
Protected resources

Some resources should require stronger checks.

Certain WordPress resources are more sensitive than normal content. LemonX authentication should make it easy to protect them from accidental AI actions or over-broad API access.

Recommended Protected Resources

HomepagePricing pageCheckout pageAccount pageLogin pageLegal pagesPrivacy policyTerms of serviceContact formsLicense settingsCloud Gateway settingsAPI keysMCP permissionsUser rolesPayment-related pagesWooCommerce checkout flowProduction templates

Recommended Protection Rules

  • Require administrator approval for high-impact pages.
  • Disable direct apply on protected pages.
  • Require preview and manual confirmation.
  • Block AI-generated deletion by default.
  • Log all updates to protected resources.
  • Restrict settings changes to administrators.
  • Use staging for risky transformations.
API key management

Good API security starts with key hygiene.

API keys should be treated like passwords. They can connect external systems to your LemonX-powered WordPress site, so they should be scoped, monitored and revocable.

Recommended API Key Features

  • Named keys — Each key should have a clear name such as “Agency Dashboard” or “Internal Reporting Tool.”
  • Scoped permissions — Keys should only receive the scopes needed for their workflow.
  • Expiration dates — Temporary integrations should use expiring keys.
  • Last used tracking — Admins should see when a key was last used.
  • Revocation — Keys should be easy to disable immediately.
  • IP restrictions — Where appropriate, keys can be limited to known server IPs.
  • Usage logs — Sensitive key actions should be logged.

API Key Best Practices

  • Do not share one key across multiple systems.
  • Do not store keys in frontend JavaScript.
  • Do not email keys in plain text.
  • Rotate keys after staff changes.
  • Remove unused keys.
  • Use read-only keys for dashboards.
  • Use separate keys for staging and production.
MCP authentication

AI agents need tool access, not unlimited admin access.

MCP authentication is different from normal API authentication because the user is not only connecting a system — they are allowing an AI agent to call tools. This means LemonX should authenticate the user, authorize the session and restrict the tools available to the AI client.

Recommended MCP Session Flow

Step 1: User authorizes connection — A WordPress user initiates or approves the MCP connection.

Step 2: LemonX verifies site identity — The MCP client receives clear site identity so users know which WordPress site is connected.

Step 3: LemonX loads allowed tools — Available tools are based on user role, module settings and product entitlement.

Step 4: AI calls tools — The AI client can call read, preview or apply tools based on permission.

Step 5: Sensitive actions require confirmation — Write actions should use preview-first workflows.

Step 6: Actions are logged — Tool calls, previews and applied changes should be stored for review.

Recommended MCP Tool Access Levels

Read-only toolsDraft creation toolsPreview toolsApply toolsPublishing toolsSettings toolsRestricted admin tools

MCP Security Recommendation: Do not expose every tool to every AI client. Start with read-only access, then enable preview tools, and only allow apply tools for trusted users and workflows.

Cloud Gateway authentication

Cloud-connected features require site, license and entitlement verification.

LemonX Pro and Cloud Gateway workflows may connect your WordPress site with cloud services for licensing, advanced AI routing, updates, usage tracking, entitlements and premium features. Cloud Gateway authentication should verify both the site and the plan before allowing cloud-connected actions.

Recommended Checks

Site IDLicense keyLicense statusPlan levelProduct entitlementUsage quotaRequest signatureCloud token validityFeature availabilityAccount status

Common Cloud Gateway Workflows

  • License activation
  • License deactivation
  • Entitlement refresh
  • Usage sync
  • AI gateway request
  • Translation provider routing
  • Secure update verification
  • Agency multi-site management
  • Enterprise feature validation
Webhook security

Verify events before trusting them.

Webhooks are useful for automation, but they must be verified. Any system receiving LemonX webhook events should confirm that the event came from LemonX and was not replayed or modified.

Recommended Headers

X-LemonX-EventX-LemonX-DeliveryX-LemonX-TimestampX-LemonX-Signature

Example Verification Logic

  1. Receive webhook payload.
  2. Read timestamp and signature headers.
  3. Recreate signature using shared secret.
  4. Compare signatures securely.
  5. Reject old timestamps.
  6. Check whether event ID was already processed.
  7. Process event.

Recommended Event Security

  • Use HTTPS endpoints.
  • Rotate webhook secrets when needed.
  • Log delivery attempts.
  • Deduplicate event IDs.
  • Reject unsigned events.
  • Validate timestamp freshness.
  • Do not expose webhook secrets publicly.
Best practices

Authentication best practices for LemonX developers.

Use least privilege

Give each user, key, token or MCP session only the access it needs.

Separate read, preview and apply

Do not treat content reading and content writing as the same permission.

Protect high-impact pages

Homepage, pricing, checkout, account and legal pages should require stronger approval.

Rotate secrets

API keys, webhook secrets and cloud tokens should be rotated when they may be exposed.

Avoid frontend secrets

Never place API keys, cloud tokens or provider keys in frontend JavaScript.

Log sensitive actions

Record API key usage, MCP apply actions, license changes, cloud requests and permission updates.

Use HTTPS

All external API, webhook and cloud requests should use HTTPS.

Validate input

Do not trust user input, AI output or external payloads without validation and sanitization.

Use staging for risky workflows

Test MCP write tools, migration, translation automation and custom integrations on staging first.

Revoke unused access

Remove unused API keys, disabled webhooks, old application passwords and inactive MCP sessions.

Common authentication mistakes.

Giving AI full admin accessAI agents should receive tool-based access, not unrestricted administrator credentials.
Using one API key for everythingSeparate keys by system, workflow and permission level.
Skipping capability checksAuthentication alone is not enough. Always check whether the authenticated identity has permission.
Allowing direct apply without previewFor important content changes, preview-first is safer.
Storing secrets in public codeNever place API keys or tokens in frontend code, public repositories or exposed config files.
Forgetting license entitlementsAn authenticated user may still not have access to a Pro feature if the license or plan does not allow it.
Ignoring webhook signaturesUnsigned webhooks should not be trusted.
Not logging sensitive actionsWithout logs, it becomes hard to understand what changed and who triggered it.
Examples

Authentication scenarios in real LemonX workflows.

Scenario 1: Read-only agency dashboard

Goal: An agency wants to show SEO, translation and license status for client sites.

Recommended Access

  • Scoped API key
  • reports.read
  • aeo.read
  • verto.reports.read
  • pro.license.read
  • site.health.read

Not Needed

  • content.apply
  • content.publish
  • mcp.permissions.manage
  • license.manage

Scenario 2: Content editor using AI previews

Goal: An editor wants AI to improve blog posts before review.

Recommended Access

  • WordPress logged-in session
  • content.read
  • content.preview
  • aeo.analyze
  • aeo.schema.generate

Not Needed

  • content.publish
  • settings.manage
  • mcp.permissions.manage
  • license.manage

Scenario 3: Translator managing multilingual content

Goal: A translator needs to queue, preview and apply translations.

Recommended Access

  • verto.languages.read
  • verto.translation.queue
  • verto.translation.preview
  • verto.translation.apply
  • verto.seo.generate

Optional

  • content.read
  • reports.translation.read

Scenario 4: Claude connected through MCP

Goal: A site owner wants Claude to update page copy safely.

Recommended Access

  • MCP session authorization
  • site.identity.read
  • content.read
  • content.preview
  • mcp.previews.apply after confirmation
  • mcp.logs.write

Protection

  • No delete tools
  • No settings tools
  • Protected pages require admin approval
  • Preview before apply enabled

Scenario 5: Developer managing Cloud Gateway

Goal: A developer needs to debug license and cloud usage issues.

Recommended Access

  • pro.license.read
  • pro.entitlements.read
  • pro.usage.read
  • pro.cloud.status
  • site.health.read

Restricted

  • pro.license.manage
  • cloud.manage
  • billing changes
Checklist

Before enabling an integration, check this list.

Is the integration using the right authentication method?
Does it have only the scopes it needs?
Can the token or key be revoked?
Is the integration tied to a real owner?
Are high-risk actions separated from read-only actions?
Are preview-first workflows enabled for AI edits?
Are protected pages blocked or restricted?
Are webhooks signed and verified?
Are cloud features checking entitlements?
Are sensitive actions logged?
Are secrets stored securely?
Has the workflow been tested on staging?

Build secure WordPress AI workflows from the first request.

LemonX authentication helps developers connect AI, APIs, MCP clients, webhooks and cloud services to WordPress without giving up control.

Authentication FAQ

Is WordPress login enough for LemonX actions?
For normal admin UI actions, WordPress login plus nonce and capability checks may be enough. For API, MCP, Cloud Gateway and webhook workflows, additional authentication and permission layers are recommended.
Can I use WordPress application passwords with LemonX REST API?
Yes. Application passwords are suitable for trusted server-to-server REST API integrations when paired with capability checks.
Should MCP clients use administrator access?
No. MCP clients should use tool-based access with permission checks and preview-first workflows, not unrestricted administrator access.
What is the difference between authentication and permission?
Authentication confirms who is making the request. Permission determines what they are allowed to do.
What are scopes?
Scopes define what a token, API key or integration can access, such as content.read, aeo.analyze or verto.translation.queue.
Can LemonX restrict AI from editing specific pages?
Yes. Protected resources and MCP permission logic can restrict high-impact pages such as pricing, checkout, account, privacy and terms pages.
Should AI-generated changes be applied automatically?
For low-risk draft workflows, automation may be acceptable. For important content, SEO, translation and publishing actions, preview-before-apply is recommended.
How should webhook events be secured?
Webhook events should be signed with a shared secret, timestamped, delivered over HTTPS and checked for replay attacks.
Can API keys expire?
Yes. Expiration is recommended for temporary integrations and external systems.
What should I do if a key is exposed?
Revoke the key immediately, create a new key, review recent logs and rotate any related secrets.

Authentication is the foundation of safe WordPress AI automation.

Before an AI agent edits a page, before an API triggers a translation, before a webhook starts an automation, and before a cloud feature runs — LemonX should know who is requesting it, what they can do, and whether the action should be previewed first.