> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maxicore.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect AI clients with WordPress application passwords

> Use WordPress application passwords to connect AI clients or automation scripts to Maxi AI Core when browser-based OAuth is not practical.

Application passwords are WordPress's built-in credential mechanism for REST API access. They're the right choice for scripted clients, automation pipelines, and other situations where opening a browser for an OAuth consent flow is not practical. If you upgraded to Maxi AI Core v3.6 from an earlier version, any existing application password connections keep working without any changes.

## When to use application passwords

Use application passwords when:

* You're building an automation script or CI pipeline that calls the MCP endpoint programmatically
* Your client doesn't support OAuth browser flows
* You prefer to manage credentials explicitly rather than through the OAuth consent flow

For interactive AI clients like ChatGPT, Claude Desktop, Cursor, and Codex, [OAuth 2.1](/connect/oauth) is simpler — one URL paste replaces all the steps below.

## Creating an application password

<Steps>
  <Step title="Open your WordPress user profile">
    Go to **WordPress Admin → Users → Profile**. If you're setting up a dedicated agent user, navigate to that user's profile instead.
  </Step>

  <Step title="Find Application Passwords">
    Scroll down to the **Application Passwords** section near the bottom of the profile page.
  </Step>

  <Step title="Name your application password">
    Enter a descriptive name in the **New Application Password Name** field — for example, `Claude Desktop Agent` or `CI Pipeline`. The name helps you identify and revoke specific credentials later.
  </Step>

  <Step title="Generate and copy the password">
    Click **Add New Application Password**. WordPress displays the generated password once. Copy it immediately — it will not be shown again.
  </Step>
</Steps>

<Warning>
  WordPress application passwords are shown only once at creation. Store the password securely before leaving the page.
</Warning>

## Authenticating requests

Pass the application password as HTTP Basic authentication. Encode the username and password separated by a colon (`username:app-password`) in base64:

```bash theme={null}
Authorization: Basic base64(username:app-password)
```

For example, using `curl`:

```bash theme={null}
curl -X POST https://yoursite.com/wp-json/mcp/mcp-adapter-default-server \
  -H "Authorization: Basic $(echo -n 'yourusername:xxxx xxxx xxxx xxxx xxxx xxxx' | base64)" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"maxi/bootstrap-session","arguments":{}},"id":1}'
```

<Note>
  WordPress application passwords include spaces in the displayed format (e.g., `xxxx xxxx xxxx xxxx xxxx xxxx`). Include them as-is when encoding — WordPress accepts both the spaced and unspaced forms.
</Note>

## MCP endpoint

The MCP endpoint URL is the same regardless of authentication method:

```
https://yoursite.com/wp-json/mcp/mcp-adapter-default-server
```

Replace `yoursite.com` with your domain. You can copy this URL from **Settings → AI Connections → Settings**.

## Session identity with Mcp-Session-Id

For scripted clients that make multiple calls in a single logical working unit, send a consistent `Mcp-Session-Id` header throughout the session:

```bash theme={null}
Mcp-Session-Id: your-session-identifier
```

This header scopes session state — including rule acknowledgements and playbook acknowledgements — to a single working unit. Use a stable identifier per logical session (for example, a UUID you generate at the start of each run), not a per-request value.

<Tip>
  If your client doesn't send `Mcp-Session-Id`, Maxi AI Core still works, but you may need to re-acknowledge rules and playbooks more frequently.
</Tip>

## Using a dedicated WordPress user

Create a separate WordPress user for each AI agent or automation script, and assign only the capabilities that agent actually needs. This limits what a compromised or misbehaving agent can do.

Common capability sets:

| Agent type      | Suggested capabilities                                                     |
| --------------- | -------------------------------------------------------------------------- |
| Read-only agent | `read`, `edit_posts`                                                       |
| Content agent   | `read`, `edit_posts`, `publish_posts`, `upload_files`, `manage_categories` |
| Store agent     | `edit_products`, `manage_woocommerce`                                      |
| Admin agent     | `manage_options` — only when the agent needs system-level abilities        |

See [User scoping](/security/user-scoping) for the full capability mapping.

## Upgrading from earlier versions

If your site already uses application passwords with Maxi AI Core, upgrading to v3.6 requires no changes. OAuth is purely additive — the Bearer token hook only runs when a Bearer token is present. Requests using Basic authentication continue through WordPress's normal authentication pipeline without any modification.
