Products
Solutions
Pricing
Compare
Resources
Developers
Support
Tokens WordPress-native MCP gateway

Access Tokens for WordPress.

The access token system supports multiple labeled tokens, one-time plaintext display, hashed storage, user binding, last-used tracking and individual revocation. Create, label, preview, revoke and audit one token per MCP client.

v0.2.12plugin version shown in the admin header and docs pages
15mstaging TTL for pending write previews
1single endpoint for Claude, Codex and MCP clients
Access Tokens Token-bound user · capabilities · audit context
Rendered for real WordPress use
Teams connecting Claude Code, Codex, Claude Desktop and other clients to the same WordPress site.
Version OK
WordPress scenario

Built for real MCP sessions inside production WordPress.

LemonX MCP is intentionally a thin gateway. It owns protocol transport, bearer-token authentication, tool discovery, resources, staged writes and audit records. Page editing, SEO research and translation actions stay inside the plugins that know those domains.

For this page, the practical goal is simple: Create, label, preview, revoke and audit one token per MCP client. The operator should be able to understand the value, the safety boundary and the exact WordPress workflow before connecting an AI client.

  • Keep the gateway enabled only when a tokened client should connect.
  • Bind each token to a WordPress user with the least useful permission set.
  • Ask the agent to read site identity before doing site-specific work.
  • Use staged previews for write actions and audit logs for accountability.
Access Tokens Request Gateway Result JSON-RPC Auth + tool MCP response v0.2.12
Scenario: an AI client talks to WordPress through LemonX MCP instead of unsupported raw REST calls.
How it works

The gateway keeps the AI surface predictable and reviewable.

Every MCP session starts with a client, a token, an endpoint and a clear operating manual. LemonX MCP then routes calls through the registry, permissions, feature gates and staging layer.

POST /wp-json/lemonx-mcp/v1/mcp
01
Create a label for the client or machineCreate a label for the client or machine
02
Bind the token to the least-privileged useful usBind the token to the least-privileged useful user
03
Copy the token once and store it in the client cCopy the token once and store it in the client config
04
Review last-used and activity recordsReview last-used and activity records
05
Revoke tokens when a client is retiredRevoke tokens when a client is retired
06
Generate separate tokens per site and clientGenerate separate tokens per site and client
Key features

What this page covers in the MCP product system.

These capabilities map to the real LemonX MCP plugin architecture and admin experience, not a generic AI automation promise.

Multiple labeled tokens

Multiple labeled tokens is presented as a concrete LemonX MCP capability for teams connecting claude code, codex, claude desktop and other clients to the same wordpress site.

Hash-only storage

Hash-only storage is presented as a concrete LemonX MCP capability for teams connecting claude code, codex, claude desktop and other clients to the same wordpress site.

One-time plaintext display

One-time plaintext display is presented as a concrete LemonX MCP capability for teams connecting claude code, codex, claude desktop and other clients to the same wordpress site.

Individual revocation

Individual revocation is presented as a concrete LemonX MCP capability for teams connecting claude code, codex, claude desktop and other clients to the same wordpress site.

Plugin data model

Important internal concepts surfaced as product value.

LemonX MCP stores settings, tokens, stats, audit entries and staged payloads in WordPress options and transients. The website page should explain these concepts because they define trust.

lemonx_mcp_settings
ConceptWhat it controlsWhy users care
Gateway settingsenabled, rate_limit, trust_proxy_headers, cors and disabled_toolsAdmins can turn the surface on, limit clients and hide tools without editing code.
Tokenslabel, hash, user_id, preview, created and last_usedEach MCP client can have its own revocable identity bound to a WordPress user.
Staged payloadstool, payload, preview, user_id and created timeWrite changes wait for confirmation and expire after 15 minutes.
Audit entriestool, write flag, result, source plugin, feature key, site, token and targetTeams can trace what an agent did, where it came from and which site it touched.
Access Tokens Token-bound user · capabilities · audit context
Security language is crawlable text, not hidden inside an image, so both users and AI answer engines can understand the permission model.
Security and AEO readiness

Explain trust clearly for Google, users and AI answer engines.

This page is built with a clear H1, descriptive sections, direct answers, canonical metadata, SoftwareApplication schema, FAQPage schema and BreadcrumbList schema. That helps Google understand the page and gives AI answer engines concise source material to cite.

For MCP, trust language is especially important. The copy should repeatedly clarify that the gateway does not bypass WordPress permissions, write tools are staged, and actions are auditable.

  • Use direct definitions near the top of every page.
  • Keep security claims specific: token binding, capabilities, rate limits, CORS and staging.
  • Use FAQ structured data for answer-engine-friendly summaries.
  • Link related MCP pages so crawlers understand the feature cluster.
Recommended workflow

How teams should use Access Tokens in practice.

Start from the admin screen, verify site identity, expose only the tools that are needed, and use the preview workflow for anything that could change content. This is the difference between an unsafe browser agent and a controlled WordPress MCP gateway.

  • Generate a separate token for each client and site.
  • Ask the agent to call initialize and read the returned operating manual.
  • Use resources/list or discovery tools before making assumptions about content.
  • Apply changes only after reviewing the staging preview and target site context.
Access Tokens Request Gateway Result JSON-RPC Auth + tool MCP response v0.2.12
Recommended workflow: discover, verify, preview, approve, apply and audit.
FAQ

Common questions about Access Tokens.

What is Access Tokens?
Access Tokens is part of LemonX MCP 0.2.12. It helps WordPress teams create, label, preview, revoke and audit one token per mcp client.
Does LemonX MCP bypass WordPress permissions?
No. Tokens are bound to WordPress users, requests run as the bound user, and tools still rely on WordPress capabilities plus LemonX Pro feature gates for write-capable actions.
Can write tools change the site immediately?
Write-capable tools use the preview to apply workflow. The first call stages a preview and opaque payload; only apply_change commits the staged change after review.
Which MCP clients can use this?
The gateway is designed for Claude Code, Codex, Claude Desktop through the stdio bridge, and other HTTP or Streamable HTTP MCP clients that can send JSON-RPC requests with bearer authentication.
Is this page useful for SEO and AI search indexing?
Yes. The page uses a clear H1, descriptive sections, crawlable text, canonical metadata, SoftwareApplication schema, FAQPage schema, BreadcrumbList schema and direct answers for AI answer engines.

Connect AI clients to WordPress with a gateway you can audit.

LemonX MCP gives Claude, Codex and other MCP clients one controlled endpoint for WordPress work: token-bound users, tool discovery, resources, staged writes, Pro gates and activity records.

WhatsApp+44 7724 592551