Skip to main content
Maxi AI Core exposes a set of PHP constants you can define in your wp-config.php file to override default behavior. These constants let you tune OAuth token lifetimes, licensing check intervals, WP-CLI write permissions, and GDPR data masking — without touching plugin settings or the database. Add any constant above the /* That's all, stop editing! */ line in your wp-config.php file using the format:
define( 'CONSTANT_NAME', value );

Licensing

These constants control how often Maxi AI Core validates your license against the remote server and where it sends update checks.
ConstantDescription
MAXI_AI_LICENSE_CHECK_INTERVALHow often the license is re-validated remotely, in seconds. The minimum accepted value is 3600 (1 hour).

OAuth 2.1

These constants adjust the behavior of the OAuth 2.1 server that AI clients use to connect to your site. The defaults are designed for typical use — you only need to change them if you have specific security or compliance requirements.

Kill switch

ConstantDefaultDescription
MAXI_AI_OAUTH_DISABLEfalseSet to true to disable OAuth entirely. All OAuth endpoints return 404 and the Bearer token hook is not registered. Clients using application passwords are unaffected.

Access control

ConstantDefaultDescription
MAXI_AI_OAUTH_REQUIRED_CAPmanage_optionsThe WordPress capability a user must hold to see and approve the OAuth consent page.
MAXI_AI_OAUTH_CLOCK_SKEWSeconds of clock skew tolerance when validating token expiry. Increase this if your server clock is slightly out of sync with client clocks.

Rate limiting

ConstantDescription
MAXI_AI_OAUTH_DCR_RATE_LIMITMaximum Dynamic Client Registration (DCR) registrations allowed per IP address per hour.
MAXI_AI_OAUTH_TOKEN_RATE_LIMITMaximum requests to the token endpoint allowed per IP address per hour.

Token lifetimes

ConstantDescription
MAXI_AI_OAUTH_CODE_TTLAuthorization code lifetime in seconds. Codes are single-use.
MAXI_AI_OAUTH_ACCESS_TTLAccess token lifetime in seconds. Short by design — MCP clients refresh transparently.
MAXI_AI_OAUTH_REFRESH_TTLRefresh token lifetime in seconds. Rotated on every use.

Retention and cleanup

ConstantDescription
MAXI_AI_OAUTH_REVOKED_RETENTIONHow long revoked tokens are retained in the database for forensic review, in seconds.
MAXI_AI_OAUTH_DCR_GC_AGEAge at which a registered client that has never been used is automatically deleted, in seconds.

Data masking

ConstantDefaultDescription
MAXI_AI_DATA_MASKINGtrueControls whether PII masking is active. Set to false to disable masking entirely and allow full field values to reach AI agents. See GDPR data masking for details.
Setting MAXI_AI_DATA_MASKING to false means AI providers will receive unredacted personal data such as names, email addresses, and shipping details. Only disable masking if your use case requires it and you understand the privacy implications.

WP-CLI write groups

Read-only WP-CLI commands are always permitted. Write commands are blocked by default and must be explicitly unlocked by defining the corresponding constant. Each constant enables a specific group of commands.
All WP-CLI constants are false by default. You only need to define the ones for the write groups you actually want to allow.
ConstantCommands enabled
MAXI_AI_WP_CLI_ALLOW_CACHE_WRITEScache flush, transient delete, cron management, rewrite flush
MAXI_AI_WP_CLI_ALLOW_CONTENT_WRITESpost create/update/delete, term writes, menu management
MAXI_AI_WP_CLI_ALLOW_USER_WRITESuser create, user update
MAXI_AI_WP_CLI_ALLOW_OPTION_WRITESoption add, option update, option delete
MAXI_AI_WP_CLI_ALLOW_DB_READSdb query (SELECT-only) and db export
For a full explanation of WP-CLI access controls — including the DB query blocklist and hard-banned commands — see WP-CLI access.

Example wp-config.php snippet

The following example shows a representative set of constants. Copy only the ones you need and adjust the values to suit your site.
// Maxi AI Core configuration

// Customize the license re-validation interval (in seconds)
define( 'MAXI_AI_LICENSE_CHECK_INTERVAL', 21600 );

// Customize the OAuth access token lifetime (in seconds)
define( 'MAXI_AI_OAUTH_ACCESS_TTL', 3600 );

// Allow agents to flush the cache and manage transients via WP-CLI
define( 'MAXI_AI_WP_CLI_ALLOW_CACHE_WRITES', true );

// Allow SELECT-only db queries and db export via WP-CLI
define( 'MAXI_AI_WP_CLI_ALLOW_DB_READS', true );

/* That's all, stop editing! Happy publishing. */