OAuth 2.1 is the recommended way to connect AI clients to your WordPress site. You paste one URL into your AI client, a browser consent page opens, you click Authorize, and the client stores its token automatically. No application passwords, no manual token management — the client handles all future reconnections on its own.Documentation Index
Fetch the complete documentation index at: https://docs.maxicore.ai/llms.txt
Use this file to discover all available pages before exploring further.
Your MCP endpoint URL
Every Maxi AI Core installation exposes a single MCP endpoint:yoursite.com with your actual domain. You can copy this URL directly from Settings → AI Connections → Settings using the copy button.
Connecting a client
Copy your MCP endpoint URL
Go to Settings → AI Connections → Settings in your WordPress admin. Click the copy button next to the MCP endpoint URL.
Paste the URL into your AI client
Open your AI client (ChatGPT, Claude Desktop, Cursor, Codex, etc.) and paste the URL into the MCP connection field. The exact field name varies by client — look for “MCP server URL” or similar.
Let the client discover the auth server
The client sends a request to the endpoint, receives a
401 response pointing to your site’s OAuth discovery URL, and automatically discovers the authorization endpoints. No manual configuration needed.Authorize in the browser
Your browser opens a consent page. If you’re not already logged in to WordPress, log in first. The consent page shows the client’s name, the permissions it’s requesting, and your current WordPress user identity. Click Authorize.
The consent page uses your WordPress login. The capability required to authorize defaults to
manage_options (administrator). You can change this under Settings → AI Connections → Settings.Token lifetimes
Maxi AI Core uses short-lived access tokens by design. A shorter access token window means a stolen token becomes useless quickly — and your AI client handles the refresh transparently.| Token | Lifetime | Notes |
|---|---|---|
| Access token | 2 hours | Clients auto-refresh before expiry — no action needed |
| Refresh token | 60 days | Rotated on every use; a new refresh token is issued each time |
Managing connected clients
Connected Clients tab
Go to Settings → AI Connections → Connected Clients to see every AI client that has registered with your site. For each client you can:- View the client name and when it last made a request
- Revoke all tokens for that client, forcing it to re-authorize next time
- Delete the client entirely, removing its registration
Active Sessions tab
The Active Sessions tab shows every non-expired, non-revoked token on your site, grouped by WordPress user. From here you can:- Revoke individual tokens per session
- Click Revoke all sessions for this user to immediately invalidate all tokens for a given WordPress account — useful when an account is compromised
Settings
Go to Settings → AI Connections → Settings to configure OAuth behavior:| Setting | Default | Description |
|---|---|---|
| Auto-approve client registration | On | AI clients register automatically when they first connect. Turn this off to require manual approval for each new client. |
| Required capability | manage_options | The WordPress capability a user must have to see and approve the consent page. |
Disabling OAuth
If you need to fall back to application passwords entirely, add this line towp-config.php:
Hosts that block .well-known paths
Some hosting environments (certain LiteSpeed and nginx configurations) block paths starting with a dot, which can interfere with standard OAuth discovery. Maxi AI Core handles this automatically — the WWW-Authenticate header points to a fallback discovery URL under /wp-json/maxi-ai-oauth/v1/discovery/ that works everywhere. You don’t need to do anything; OAuth discovery works on all supported hosts.