Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.maxicore.ai/llms.txt

Use this file to discover all available pages before exploring further.

Application passwords are WordPress’s built-in credential mechanism for REST API access. They’re the right choice for scripted clients, automation pipelines, and other situations where opening a browser for an OAuth consent flow is not practical. If you upgraded to Maxi AI Core v3.6 from an earlier version, any existing application password connections keep working without any changes.

When to use application passwords

Use application passwords when:
  • You’re building an automation script or CI pipeline that calls the MCP endpoint programmatically
  • Your client doesn’t support OAuth browser flows
  • You prefer to manage credentials explicitly rather than through the OAuth consent flow
For interactive AI clients like ChatGPT, Claude Desktop, Cursor, and Codex, OAuth 2.1 is simpler — one URL paste replaces all the steps below.

Creating an application password

1

Open your WordPress user profile

Go to WordPress Admin → Users → Profile. If you’re setting up a dedicated agent user, navigate to that user’s profile instead.
2

Find Application Passwords

Scroll down to the Application Passwords section near the bottom of the profile page.
3

Name your application password

Enter a descriptive name in the New Application Password Name field — for example, Claude Desktop Agent or CI Pipeline. The name helps you identify and revoke specific credentials later.
4

Generate and copy the password

Click Add New Application Password. WordPress displays the generated password once. Copy it immediately — it will not be shown again.
WordPress application passwords are shown only once at creation. Store the password securely before leaving the page.

Authenticating requests

Pass the application password as HTTP Basic authentication. Encode the username and password separated by a colon (username:app-password) in base64: 
Authorization: Basic base64(username:app-password)
For example, using curl: 
curl -X POST https://yoursite.com/wp-json/mcp/mcp-adapter-default-server \
  -H "Authorization: Basic $(echo -n 'yourusername:xxxx xxxx xxxx xxxx xxxx xxxx' | base64)" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"maxi/bootstrap-session","arguments":{}},"id":1}'
WordPress application passwords include spaces in the displayed format (e.g., xxxx xxxx xxxx xxxx xxxx xxxx). Include them as-is when encoding — WordPress accepts both the spaced and unspaced forms.

MCP endpoint

The MCP endpoint URL is the same regardless of authentication method: 
https://yoursite.com/wp-json/mcp/mcp-adapter-default-server
Replace yoursite.com with your domain. You can copy this URL from Settings → AI Connections → Settings.

Session identity with Mcp-Session-Id

For scripted clients that make multiple calls in a single logical working unit, send a consistent Mcp-Session-Id header throughout the session: 
Mcp-Session-Id: your-session-identifier
This header scopes session state — including rule acknowledgements and playbook acknowledgements — to a single working unit. Use a stable identifier per logical session (for example, a UUID you generate at the start of each run), not a per-request value.
If your client doesn’t send Mcp-Session-Id, Maxi AI Core still works, but you may need to re-acknowledge rules and playbooks more frequently.

Using a dedicated WordPress user

Create a separate WordPress user for each AI agent or automation script, and assign only the capabilities that agent actually needs. This limits what a compromised or misbehaving agent can do. Common capability sets:
Agent typeSuggested capabilities
Read-only agentread, edit_posts
Content agentread, edit_posts, publish_posts, upload_files, manage_categories
Store agentedit_products, manage_woocommerce
Admin agentmanage_options — only when the agent needs system-level abilities
See User scoping for the full capability mapping.

Upgrading from earlier versions

If your site already uses application passwords with Maxi AI Core, upgrading to v3.6 requires no changes. OAuth is purely additive — the Bearer token hook only runs when a Bearer token is present. Requests using Basic authentication continue through WordPress’s normal authentication pipeline without any modification.