Authentication
All AdminLocks REST API endpoints live under the adminlocks/v1 namespace and require authentication. Every endpoint requires the manage_options capability, which means only WordPress administrators can access the API.
Two authentication methods are supported:
- WordPress Application Passwords — recommended for external integrations, CI/CD pipelines, and scripts. Pass credentials via HTTP Basic Auth.
- Cookie Nonce Authentication — used automatically by the WordPress admin interface. Pass the nonce in the
X-WP-Nonceheader.
Application Password Example
# Using application passwords (recommended for external tools)
curl -X GET "https://yoursite.com/wp-json/adminlocks/v1/audit-log" \
-u "admin:XXXX XXXX XXXX XXXX XXXX XXXX"To generate an application password, go to Users > Your Profile in WordPress admin and scroll to the Application Passwords section. Give the password a descriptive name like "AdminLocks API" and click Add New.
Cookie Nonce Example
// JavaScript within the WordPress admin
fetch('/wp-json/adminlocks/v1/audit-log', {
headers: {
'X-WP-Nonce': wpApiSettings.nonce
}
})Never expose application passwords in client-side code or public repositories. Use environment variables or a secrets manager for production integrations.
Complete Endpoint Table
| Method | Endpoint | Purpose |
|---|---|---|
GET | /adminlocks/v1/audit-log | List audit log entries with filtering and pagination |
DELETE | /adminlocks/v1/audit-log | Purge all audit log entries |
GET | /adminlocks/v1/audit-log/export | Export audit log as CSV |
GET | /adminlocks/v1/policies | List all policies |
POST | /adminlocks/v1/policies | Create a new policy |
GET | /adminlocks/v1/policies/{id} | Get a single policy by ID |
PUT | /adminlocks/v1/policies/{id} | Update an existing policy |
DELETE | /adminlocks/v1/policies/{id} | Delete a policy |
GET | /adminlocks/v1/approvals | List approval requests |
POST | /adminlocks/v1/approvals | Create a new approval request |
PUT | /adminlocks/v1/approvals/{id} | Review (approve/deny) a request |
GET | /adminlocks/v1/snapshots | List snapshots |
POST | /adminlocks/v1/snapshots | Create a new snapshot |
DELETE | /adminlocks/v1/snapshots/{id} | Delete a snapshot |
GET | /adminlocks/v1/portal-requests | List client portal requests |
PUT | /adminlocks/v1/portal-requests/{id} | Update a portal request status |
GET | /adminlocks/v1/settings | Get plugin settings |
PUT | /adminlocks/v1/settings | Update plugin settings |
GET | /adminlocks/v1/dashboard | Get dashboard summary data |
POST | /adminlocks/v1/cloud-webhook | Receive inbound Cloud webhooks (HMAC auth) |
Audit Log
List Entries
GET /adminlocks/v1/audit-log
Returns a paginated list of audit log entries. Supports extensive filtering via query parameters.
| Parameter | Type | Default | Description |
|---|---|---|---|
per_page | integer | 20 | Number of entries per page (max 100) |
page | integer | 1 | Page number for pagination |
event_type | string | — | Filter by event type (e.g., login, plugin_activated, option_updated) |
severity | string | — | Filter by severity: info, warning, critical |
search | string | — | Full-text search across event descriptions and metadata |
date_from | string | — | ISO 8601 date string for start of date range |
date_to | string | — | ISO 8601 date string for end of date range |
orderby | string | created_at | Column to sort by (created_at, severity, event_type) |
order | string | DESC | Sort direction: ASC or DESC |
# Get critical events from the last 7 days
curl -X GET "https://yoursite.com/wp-json/adminlocks/v1/audit-log?\
severity=critical&date_from=2026-02-26T00:00:00Z&per_page=50" \
-u "admin:XXXX XXXX XXXX XXXX XXXX XXXX"Response:
{
"items": [
{
"id": 1042,
"event_type": "plugin_deleted",
"severity": "critical",
"description": "Plugin \"hello-dolly\" was deleted",
"actor_id": 3,
"actor_name": "clientuser",
"actor_role": "editor",
"object_type": "plugin",
"object_id": "hello-dolly/hello.php",
"ip_address": "192.168.1.100",
"metadata": {},
"created_at": "2026-03-01T14:23:11Z"
}
],
"total": 1,
"pages": 1
}Export CSV
GET /adminlocks/v1/audit-log/export
Returns all audit log entries as a CSV file download. Accepts the same filtering parameters as the list endpoint. The response has Content-Type: text/csv and includes a Content-Disposition header for download.
Purge Log
DELETE /adminlocks/v1/audit-log
Permanently deletes all audit log entries. This action is irreversible and is itself recorded as a new audit event.
Policies
List Policies
GET /adminlocks/v1/policies
curl -X GET "https://yoursite.com/wp-json/adminlocks/v1/policies" \
-u "admin:XXXX XXXX XXXX XXXX XXXX XXXX"Response:
[
{
"id": 1,
"name": "Agency Client Lockdown",
"slug": "agency-client-lockdown",
"description": "Standard restrictions for editor-role clients",
"roles": "editor",
"is_active": true,
"priority": 10,
"rules": {
"deny_menus": ["plugins.php", "themes.php"],
"deny_capabilities": ["install_plugins", "switch_themes"]
},
"created_at": "2026-01-15T09:00:00Z",
"updated_at": "2026-02-20T11:30:00Z"
}
]Create Policy
POST /adminlocks/v1/policies
curl -X POST "https://yoursite.com/wp-json/adminlocks/v1/policies" \
-H "Content-Type: application/json" \
-u "admin:XXXX XXXX XXXX XXXX XXXX XXXX" \
-d '{
"name": "Content Editor Policy",
"slug": "content-editor",
"description": "Restricts editors to content management only",
"roles": "editor,author",
"is_active": true,
"priority": 20,
"rules": {
"deny_menus": ["plugins.php", "themes.php", "tools.php"],
"deny_pages": ["plugin-install.php", "theme-install.php"],
"deny_capabilities": ["install_plugins", "switch_themes"]
}
}'Update Policy
PUT /adminlocks/v1/policies/{id}
Accepts the same fields as create. Only include the fields you want to update — omitted fields retain their current values.
Delete Policy
DELETE /adminlocks/v1/policies/{id}
Permanently removes the policy. Any restrictions it was enforcing are lifted immediately.
Approvals
List Approvals
GET /adminlocks/v1/approvals
Returns all approval requests. Supports status filter with values: pending, approved, denied, expired.
curl -X GET "https://yoursite.com/wp-json/adminlocks/v1/approvals?status=pending" \
-u "admin:XXXX XXXX XXXX XXXX XXXX XXXX"Create Approval Request
POST /adminlocks/v1/approvals
curl -X POST "https://yoursite.com/wp-json/adminlocks/v1/approvals" \
-H "Content-Type: application/json" \
-u "admin:XXXX XXXX XXXX XXXX XXXX XXXX" \
-d '{
"action_type": "plugin_install",
"action_label": "Install WooCommerce",
"description": "Client needs e-commerce functionality",
"requested_by": 3
}'Review Approval
PUT /adminlocks/v1/approvals/{id}
curl -X PUT "https://yoursite.com/wp-json/adminlocks/v1/approvals/5" \
-H "Content-Type: application/json" \
-u "admin:XXXX XXXX XXXX XXXX XXXX XXXX" \
-d '{
"status": "approved",
"note": "Approved — WooCommerce is safe to install"
}'Snapshots
List Snapshots
GET /adminlocks/v1/snapshots
Returns all site snapshots with metadata including label, file size, and creation date.
Create Snapshot
POST /adminlocks/v1/snapshots
curl -X POST "https://yoursite.com/wp-json/adminlocks/v1/snapshots" \
-H "Content-Type: application/json" \
-u "admin:XXXX XXXX XXXX XXXX XXXX XXXX" \
-d '{
"label": "Pre-update snapshot March 2026"
}'Delete Snapshot
DELETE /adminlocks/v1/snapshots/{id}
Deletes the snapshot record and its associated file from disk.
Portal Requests
GET /adminlocks/v1/portal-requests — list all requests submitted through the client portal.
PUT /adminlocks/v1/portal-requests/{id} — update a request's status (e.g., mark as completed or rejected).
curl -X PUT "https://yoursite.com/wp-json/adminlocks/v1/portal-requests/12" \
-H "Content-Type: application/json" \
-u "admin:XXXX XXXX XXXX XXXX XXXX XXXX" \
-d '{
"status": "completed",
"response_note": "Logo has been updated as requested"
}'Settings
GET /adminlocks/v1/settings — retrieve current plugin settings.
PUT /adminlocks/v1/settings — update plugin settings.
curl -X PUT "https://yoursite.com/wp-json/adminlocks/v1/settings" \
-H "Content-Type: application/json" \
-u "admin:XXXX XXXX XXXX XXXX XXXX XXXX" \
-d '{
"audit_enabled": true,
"audit_retention_days": 14,
"cloud_api_key": "ak_live_xxxxxxxxxxxx",
"snapshot_retention_days": 30,
"portal_enabled": true
}'Dashboard
GET /adminlocks/v1/dashboard
Returns aggregated dashboard data including active policy count, recent audit events, pending approvals, and snapshot count. Used internally by the AdminLocks dashboard widget.
{
"active_policies": 3,
"total_audit_events": 1247,
"pending_approvals": 2,
"snapshots": 5,
"recent_events": [...]
}Cloud Webhook
POST /adminlocks/v1/cloud-webhook
This endpoint receives inbound webhooks from AdminLocks Cloud. Unlike other endpoints, it does not use WordPress authentication. Instead, it validates an HMAC-SHA256 signature sent in the X-AdminLocks-Signature header.
The request body is signed using your site's Cloud API key. AdminLocks computes hash_hmac('sha256', $body, $api_key) and compares it to the signature header value.
# Example cloud webhook call (sent by AdminLocks Cloud)
curl -X POST "https://yoursite.com/wp-json/adminlocks/v1/cloud-webhook" \
-H "Content-Type: application/json" \
-H "X-AdminLocks-Signature: a1b2c3d4e5f6..." \
-d '{
"action": "approval_reviewed",
"data": {
"approval_id": 5,
"status": "approved",
"note": "Approved from Cloud dashboard"
}
}'For complete webhook documentation including all supported actions and payload formats, see the Webhook Configuration guide.