Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.maxicore.ai/llms.txt

Use this file to discover all available pages before exploring further.

Every AI agent that connects to your site should do so as its own WordPress user. This is the single most effective way to limit what an agent can do if it behaves unexpectedly, makes a mistake, or is compromised. Maxi AI Core enforces WordPress capability checks on every ability call — those checks only work as intended when each agent operates as a distinct, minimally-capable user.

Why it matters

When an agent connects as your personal admin account, any mistake it makes has the same impact as if you made it yourself — full site access. When it connects as a scoped user, the damage is limited to what that user’s role allows. This principle — least privilege — applies equally to human users and AI agents.
Treat each AI agent like a contractor with a badge that grants access only to the rooms they need. Don’t hand them the master key.
These patterns cover the most common agent configurations. Start with the narrowest scope that lets the agent do its job.
Capabilities: read + edit_postsCovers all list, get, and describe abilities. The agent can read content, browse taxonomy terms, inspect media, and query WooCommerce data it has been granted access to. It can also save draft content.Use this for agents that monitor, report, or suggest — anything that does not need to publish or modify live content.
Capabilities: read + edit_posts + publish_posts + upload_files + manage_categoriesAdds the ability to publish posts, upload media, and manage taxonomy terms. Use this for agents that create and manage site content, including images and attachments.
Capabilities: read + edit_posts + publish_posts + upload_files + manage_categories + edit_products + manage_woocommerceAdds WooCommerce product management and order/coupon/shipping operations. Use this for agents that run store workflows — updating product listings, processing orders, or managing coupons.
Capabilities: manage_options (administrator role)Only use this when the agent genuinely needs administrator-level abilities: maxi/update-ai-settings, maxi/rotate-provider-key, maxi/run-wp-cli, or maxi/flush-cache. For everything else, use one of the scoped patterns above.
Administrator access means the agent can change plugin settings, rotate API keys, and run WP-CLI commands. Grant this scope only to agents you trust and monitor closely.

The write gate

Content-mutating abilities (maxi/create-content, maxi/update-content, maxi/delete-content, maxi/duplicate-content, maxi/change-status, maxi/schedule-content, maxi/set-author, maxi/set-parent) require the WordPress user to have manage_options. This is enforced in PHP — no configuration or rule can override it. A non-admin agent is read-only and notes-only for content. It can read anything and add notes, but cannot modify live site content.
This is intentional. If you want an agent to publish and edit content, connect it as an administrator. If you want it to draft and suggest, a non-admin user is sufficient.

Creating a dedicated user

1

Create the WordPress user

In your WordPress admin, go to Users → Add New. Give the user a clear name that identifies its purpose (for example, agent-content or agent-store). Assign the role that most closely matches the capability pattern you need — Editor for content agents, Shop Manager for store agents, Administrator only when required.
2

Create an application password

Open the user’s profile (Users → All Users → edit). Scroll to the Application Passwords section. Enter a name for the password (for example, the name of the AI client), click Add New Application Password, and copy the generated password immediately — it is not shown again.
3

Connect the AI client

Use this user’s login and application password when configuring the AI client. With OAuth 2.1, the user who completes the browser consent flow becomes the user the agent acts as — make sure the right user is logged into WordPress when authorizing.

OAuth and user identity

When an AI client connects via OAuth 2.1, the WordPress user who clicks Authorize on the consent page is the user the agent acts as for all subsequent ability calls. To connect an agent as a scoped user rather than your personal admin account, log into WordPress as that scoped user before starting the OAuth flow. The agent’s effective identity is determined at authorization time and is bound to the access token. You can see which user is associated with each connected client in Settings → AI Connections → Connected Clients.

Reviewing agent permissions

To check what the current connected user can do, agents can call maxi/get-current-user. The response includes the user’s ID, roles, and relevant capabilities. Use this as a quick sanity check when debugging unexpected permission errors.