{"id":283845,"date":"2026-06-28T19:19:39","date_gmt":"2026-06-28T19:19:39","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/ai-connect\/"},"modified":"2026-06-28T19:27:24","modified_gmt":"2026-06-28T19:27:24","slug":"goldt-webmcp-bridge","status":"publish","type":"plugin","link":"https:\/\/as.wordpress.org\/plugins\/goldt-webmcp-bridge\/","author":23455381,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.0","stable_tag":"1.0.0","tested":"7.0","requires":"6.0","requires_php":"7.4","requires_plugins":null,"header_name":"GoldT WebMCP Bridge","header_author":"chagold","header_description":"Bridge for 8 AI agents (Claude, ChatGPT, Grok, more) via WebMCP with OAuth 2.0","assets_banners_color":"6f5d44","last_updated":"2026-06-28 19:27:24","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/goldt-webmcp-bridge.gold-t.co.il\/","header_author_uri":"https:\/\/github.com\/chgold","rating":0,"author_block_rating":0,"active_installs":0,"downloads":44,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"chagold","date":"2026-06-28 19:27:24"}},"upgrade_notice":{"0.3.2":"<p>Security fix: &quot;Revoke All Tokens&quot; button now works correctly. WordPress.org compliance improvements. Upgrade recommended.<\/p>","0.3.0":"<p>New Translation Provider setting lets you choose between AI self-translate, MyMemory API, or disabled. OAuth client_id is now optional and supports fuzzy matching.<\/p>","0.2.1":"<p>Critical security update: OAuth scope validation now enforced. Users must explicitly approve each permission level. WordPress.org compliance improvements.<\/p>","0.2.0":"<p>Security update: OAuth 2.0 authentication now enabled. See documentation for setup guide.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3589191,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3589191,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3589191,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3589191,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3589191,"resolution":"1","location":"assets","locale":"","width":1920,"height":798},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3589191,"resolution":"2","location":"assets","locale":"","width":1920,"height":798},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3589191,"resolution":"3","location":"assets","locale":"","width":1920,"height":798},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3589191,"resolution":"4","location":"assets","locale":"","width":1920,"height":798}},"screenshots":{"1":"Dashboard - System status and quick access to settings","2":"Settings - Security controls, rate limits, user management","3":"WebMCP Manifest - Auto-generated tool definitions","4":"API Response - Example JSON response from API call"}},"plugin_section":[],"plugin_tags":[2353,232494,2061,23853,258453],"plugin_category":[38],"plugin_contributors":[269315],"plugin_business_model":[],"class_list":["post-283845","plugin","type-plugin","status-publish","hentry","plugin_tags-ai","plugin_tags-ai-agent","plugin_tags-oauth","plugin_tags-rest-api","plugin_tags-webmcp","plugin_category-authentication","plugin_contributors-chagold","plugin_committers-chagold"],"banners":{"banner":"https:\/\/ps.w.org\/goldt-webmcp-bridge\/assets\/banner-772x250.png?rev=3589191","banner_2x":"https:\/\/ps.w.org\/goldt-webmcp-bridge\/assets\/banner-1544x500.png?rev=3589191","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/goldt-webmcp-bridge\/assets\/icon-128x128.png?rev=3589191","icon_2x":"https:\/\/ps.w.org\/goldt-webmcp-bridge\/assets\/icon-256x256.png?rev=3589191","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/goldt-webmcp-bridge\/assets\/screenshot-1.png?rev=3589191","caption":"Dashboard - System status and quick access to settings"},{"src":"https:\/\/ps.w.org\/goldt-webmcp-bridge\/assets\/screenshot-2.png?rev=3589191","caption":"Settings - Security controls, rate limits, user management"},{"src":"https:\/\/ps.w.org\/goldt-webmcp-bridge\/assets\/screenshot-3.png?rev=3589191","caption":"WebMCP Manifest - Auto-generated tool definitions"},{"src":"https:\/\/ps.w.org\/goldt-webmcp-bridge\/assets\/screenshot-4.png?rev=3589191","caption":"API Response - Example JSON response from API call"}],"raw_content":"<!--section=description-->\n<p><strong>GoldT WebMCP Bridge<\/strong> enables AI agents to interact with your WordPress content through secure OAuth 2.0 authentication using the WebMCP protocol.<\/p>\n\n<p>Perfect for AI-powered customer support, automated content analysis, intelligent search, and custom AI integrations.<\/p>\n\n<h4>\u2728 Features<\/h4>\n\n<ul>\n<li><strong>WebMCP Protocol Support<\/strong> - Industry-standard AI integration<\/li>\n<li><strong>Secure OAuth 2.0<\/strong> - Same security standard as Google, Facebook, GitHub - your passwords stay safe<\/li>\n<li><strong>8 Pre-registered AI Clients<\/strong> - Claude, ChatGPT, Gemini, Grok, Perplexity, Copilot, Meta AI, DeepSeek<\/li>\n<li><strong>7 Tools<\/strong> - WordPress content tools plus optional translation via MyMemory API<\/li>\n<li><strong>Translation Provider<\/strong> - Choose AI self-translate, MyMemory API, or disabled<\/li>\n<li><strong>Dynamic Manifest<\/strong> - Instructions adapt to your settings so AI agents don't invent capabilities<\/li>\n<li><strong>Rate Limiting<\/strong> - Prevent abuse (50 req\/min default)<\/li>\n<li><strong>Security Controls<\/strong> - Token management, block specific users<\/li>\n<li><strong>Zero Configuration<\/strong> - Works out of the box<\/li>\n<li><strong>Extensible<\/strong> - Add custom tools via developer hooks<\/li>\n<\/ul>\n\n<h4>\ud83c\udfaf Quick Start for AI Users<\/h4>\n\n<p><strong>Using ChatGPT or Claude?<\/strong><\/p>\n\n<p>Tell your AI agent:<\/p>\n\n<blockquote>\n  <p>\"I want to connect you to my WordPress site at https:\/\/mysite.com using GoldT WebMCP Bridge plugin. The manifest is at \/wp-json\/goldt-webmcp-bridge\/v1\/manifest. Use OAuth 2.0 with client_id: claude-ai\"<\/p>\n<\/blockquote>\n\n<p>The AI will guide you through OAuth authorization - you'll approve access in your browser.<\/p>\n\n<h4>\ud83e\udd16 Supported AI Agents<\/h4>\n\n<p><strong>Pre-registered and ready to connect:<\/strong><\/p>\n\n<ul>\n<li><strong>Claude AI<\/strong> - Use <code>client_id: claude-ai<\/code> (Anthropic)<\/li>\n<li><strong>ChatGPT<\/strong> - Use <code>client_id: chatgpt<\/code> (OpenAI)<\/li>\n<li><strong>Gemini<\/strong> - Use <code>client_id: gemini<\/code> (Google)<\/li>\n<li><strong>Grok<\/strong> - Use <code>client_id: grok<\/code> (xAI)<\/li>\n<li><strong>Perplexity AI<\/strong> - Use <code>client_id: perplexity<\/code><\/li>\n<li><strong>Microsoft Copilot<\/strong> - Use <code>client_id: copilot<\/code><\/li>\n<li><strong>Meta AI<\/strong> - Use <code>client_id: meta-ai<\/code> (Facebook)<\/li>\n<li><strong>DeepSeek<\/strong> - Use <code>client_id: deepseek<\/code><\/li>\n<\/ul>\n\n<p>All clients use OAuth 2.0 with PKCE and <code>redirect_uri: urn:ietf:wg:oauth:2.0:oob<\/code> (out-of-band).<\/p>\n\n<h4>\ud83d\udee0\ufe0f Available Tools<\/h4>\n\n<ol>\n<li><strong>wordpress.searchPosts<\/strong> - Search posts with filters<\/li>\n<li><strong>wordpress.getPost<\/strong> - Get single post by ID or slug<\/li>\n<li><strong>wordpress.searchPages<\/strong> - Search pages<\/li>\n<li><strong>wordpress.getPage<\/strong> - Get single page by ID or slug<\/li>\n<li><strong>wordpress.getCurrentUser<\/strong> - Get authenticated user info<\/li>\n<li><strong>translation.translate<\/strong> - Translate text via MyMemory API (when Translation Provider = mymemory)<\/li>\n<li><strong>translation.getSupportedLanguages<\/strong> - List supported language codes (when Translation Provider = mymemory)<\/li>\n<\/ol>\n\n<h4>\ud83d\udd12 How Authentication Works<\/h4>\n\n<p><strong>Secure OAuth 2.0 Authentication:<\/strong><\/p>\n\n<p>Uses the same security standard trusted by Google, Facebook, and GitHub:<\/p>\n\n<ol>\n<li>AI agent initiates OAuth flow with code challenge (PKCE)<\/li>\n<li>User approves in browser (consent screen)<\/li>\n<li>Agent receives one-time authorization code<\/li>\n<li>Agent exchanges code for access token using code verifier<\/li>\n<li>Agent uses token for API calls<\/li>\n<\/ol>\n\n<p><strong>The AI agent operates as the user who authorized:<\/strong>\n* The agent receives an OAuth token linked to that user's ID\n* All API requests run with that user's permissions\n* The agent respects WordPress user capabilities<\/p>\n\n<p><strong>Examples:<\/strong><\/p>\n\n<p><strong>If Administrator authorizes:<\/strong>\n* \u2705 Sees all posts (including drafts, private)\n* \u2705 Full access based on admin capabilities<\/p>\n\n<p><strong>If Subscriber authorizes:<\/strong>\n* \u2705 Sees only published content\n* \u274c Cannot see drafts or private content<\/p>\n\n<p><strong>Security:<\/strong> Authorization codes are one-time use (10 min expiry). Access tokens expire after 1 hour. Refresh tokens valid for 30 days. PKCE ensures tokens can't be stolen.<\/p>\n\n<h4>\u2699\ufe0f Admin Settings<\/h4>\n\n<p>Configure the plugin at <strong>GoldT WebMCP \u2192 Settings<\/strong>:<\/p>\n\n<p><strong>Translation Provider:<\/strong><\/p>\n\n<ul>\n<li><strong>AI Self-Translate<\/strong> (default) - The AI agent handles translation on its own; no translation tools appear in the manifest<\/li>\n<li><strong>MyMemory API<\/strong> - Plugin calls MyMemory and returns translated text; <code>translation.translate<\/code> and <code>translation.getSupportedLanguages<\/code> tools are added to the manifest<\/li>\n<li><strong>Disabled<\/strong> - Translation tools are hidden from the manifest entirely<\/li>\n<\/ul>\n\n<p><strong>Rate Limiting:<\/strong><\/p>\n\n<ul>\n<li>Default: 50 requests per minute, 1,000 per hour (per user)<\/li>\n<li>Adjust both values in <strong>GoldT WebMCP \u2192 Settings<\/strong><\/li>\n<\/ul>\n\n<h4>\ud83d\udd10 Admin Controls<\/h4>\n\n<p><strong>For Site Administrators:<\/strong><\/p>\n\n<p>Manage security from the WordPress admin panel:<\/p>\n\n<ul>\n<li><strong>Revoke OAuth Tokens<\/strong> - Go to <strong>GoldT WebMCP \u2192 OAuth Tokens<\/strong> to view and revoke active tokens<\/li>\n<li><strong>Block Users<\/strong> - Go to <strong>GoldT WebMCP \u2192 Settings<\/strong> \u2192 scroll to \"Manage User Access\" section<\/li>\n<li><strong>Rate Limits<\/strong> - Configure request limits in <strong>GoldT WebMCP \u2192 Settings<\/strong> (default: 50\/min, 1000\/hour)<\/li>\n<\/ul>\n\n<h4>\ud83d\udcac We Need Your Feedback!<\/h4>\n\n<p>Help us build what YOU need:<\/p>\n\n<ul>\n<li>\ud83d\udca1 <strong>What tools would be most useful?<\/strong> Tell us which WordPress features you'd like AI agents to access<\/li>\n<li>\ud83d\udc1b <strong>Found a bug?<\/strong> Report it so we can fix it quickly  <\/li>\n<li>\u2b50 <strong>Feature requests<\/strong> - We prioritize based on community feedback<\/li>\n<\/ul>\n\n<p><strong>How to provide feedback:<\/strong>\n* GitHub: https:\/\/github.com\/chgold\/goldt-wp-webmcp-bridge\/issues\n* WordPress.org: Support forum<\/p>\n\n<p>Your feedback directly shapes the future of this plugin!<\/p>\n\n<h3>Troubleshooting<\/h3>\n\n<h4>Missing Dependencies Error<\/h4>\n\n<p><strong>Symptoms:<\/strong>\n* Red error notice in WordPress admin\n* Plugin appears active but doesn't work\n* REST API endpoints return 404<\/p>\n\n<p><strong>Solutions:<\/strong><\/p>\n\n<ol>\n<li><p><strong>Download complete plugin<\/strong> (Recommended)<\/p>\n\n<ul>\n<li>Get the full ZIP with dependencies from <a href=\"https:\/\/github.com\/chgold\/goldt-wp-webmcp-bridge\/releases\">GitHub Releases<\/a><\/li>\n<li>Delete the incomplete plugin folder<\/li>\n<li>Upload and activate the complete version<\/li>\n<\/ul><\/li>\n<li><p><strong>Manual composer install<\/strong> (Advanced)<\/p>\n\n<ul>\n<li>SSH into your server<\/li>\n<li>Run: <code>cd \/path\/to\/wp-content\/plugins\/goldt-webmcp-bridge &amp;&amp; composer install --no-dev<\/code><\/li>\n<\/ul><\/li>\n<\/ol>\n\n<p><strong>Common causes:<\/strong>\n* <code>exec()<\/code> function disabled on server\n* Composer not available on shared hosting\n* Plugin directory not writable<\/p>\n\n<p><strong>How to diagnose:<\/strong>\n* Go to <strong>AI Connect \u2192 Settings<\/strong> in WordPress admin\n* Check the \"Environment Status\" table\n* Look for red \u2717 marks showing the exact issue<\/p>\n\n<h4>Database Tables Missing Error<\/h4>\n\n<p><strong>Symptoms:<\/strong>\n* Red error notice: \"OAuth database tables were not created\"\n* OAuth authorization fails<\/p>\n\n<p><strong>Solution:<\/strong>\n1. Deactivate the plugin\n2. Reactivate the plugin\n3. Check <strong>AI Connect \u2192 Settings<\/strong> to verify \"OAuth Tables: \u2713 Created\"<\/p>\n\n<p><strong>If problem persists:<\/strong>\n* Your database user may not have CREATE TABLE permissions\n* Contact your hosting provider or check wp-config.php<\/p>\n\n<h4>OAuth Authorization Fails<\/h4>\n\n<p><strong>Symptoms:<\/strong>\n* Clicking \"Authorize\" button does nothing\n* Redirect loop during OAuth flow\n* \"invalid_client\" or \"invalid_request\" errors<\/p>\n\n<p><strong>Solutions:<\/strong><\/p>\n\n<ol>\n<li><p><strong>Clear WordPress rewrite rules:<\/strong><\/p>\n\n<ul>\n<li>Go to <strong>Settings \u2192 Permalinks<\/strong><\/li>\n<li>Click \"Save Changes\" (flushes rewrite rules)<\/li>\n<\/ul><\/li>\n<li><p><strong>Verify OAuth tables exist:<\/strong><\/p>\n\n<ul>\n<li>Go to <strong>AI Connect \u2192 Settings<\/strong><\/li>\n<li>Check \"OAuth Tables: \u2713 Created\"<\/li>\n<\/ul><\/li>\n<li><p><strong>Verify client exists:<\/strong><\/p>\n\n<ul>\n<li>Default clients (claude-ai, chatgpt, etc.) are auto-created<\/li>\n<li>If missing, deactivate and reactivate plugin<\/li>\n<\/ul><\/li>\n<\/ol>\n\n<h4>REST API Returns 404<\/h4>\n\n<p><strong>Symptoms:<\/strong>\n* <code>\/wp-json\/goldt-webmcp-bridge\/v1\/manifest<\/code> returns 404\n* Tools API calls fail with 404<\/p>\n\n<p><strong>Solutions:<\/strong><\/p>\n\n<ol>\n<li><p><strong>Flush permalinks:<\/strong><\/p>\n\n<ul>\n<li>Go to <strong>Settings \u2192 Permalinks<\/strong><\/li>\n<li>Click \"Save Changes\"<\/li>\n<\/ul><\/li>\n<li><p><strong>Reactivate plugin:<\/strong><\/p>\n\n<ul>\n<li>Go to <strong>Plugins<\/strong> page<\/li>\n<li>Deactivate and reactivate \"GoldT WebMCP Bridge\"<\/li>\n<\/ul><\/li>\n<li><p><strong>Check WordPress REST API:<\/strong><\/p>\n\n<ul>\n<li>Visit: <code>http:\/\/yoursite.com\/wp-json\/<\/code><\/li>\n<li>If this also returns 404, your REST API is disabled or blocked<\/li>\n<li>Check for conflicting security plugins<\/li>\n<li>Review .htaccess rules<\/li>\n<\/ul><\/li>\n<\/ol>\n\n<h4>Still Having Issues?<\/h4>\n\n<p><strong>Before asking for help, gather this information:<\/strong><\/p>\n\n<ol>\n<li>Go to <strong>AI Connect \u2192 Settings<\/strong><\/li>\n<li>Take screenshot of \"Environment Status\" table<\/li>\n<li>Check browser console for errors (F12 \u2192 Console)<\/li>\n<li>Check WordPress debug log (if enabled)<\/li>\n<\/ol>\n\n<p><strong>Get support:<\/strong>\n* GitHub: https:\/\/github.com\/chgold\/goldt-wp-webmcp-bridge\/issues\n* WordPress.org: Support forum<\/p>\n\n<h3>External Services<\/h3>\n\n<p>This plugin optionally uses the <strong>MyMemory Translation API<\/strong> when the \"Translation Provider\" setting is set to \"MyMemory API\" in the plugin settings.<\/p>\n\n<h4>MyMemory API<\/h4>\n\n<ul>\n<li><strong>What it is:<\/strong> A free machine translation service<\/li>\n<li><strong>When it is used:<\/strong> Only when an AI agent calls the <code>translation.translate<\/code> tool AND the plugin settings have \"MyMemory API\" selected as the translation provider<\/li>\n<li><strong>What data is sent:<\/strong> The text to be translated and the target\/source language codes<\/li>\n<li><strong>Default:<\/strong> Disabled by default. The default provider is \"AI Self-Translate\" (no external requests)<\/li>\n<li><strong>Terms of Service:<\/strong> https:\/\/mymemory.translated.net\/terms-and-conditions<\/li>\n<li><strong>Privacy Policy:<\/strong> https:\/\/mymemory.translated.net\/terms-and-conditions<\/li>\n<\/ul>\n\n<p>If \"MyMemory API\" is not selected, no data is sent to any external service.<\/p>\n\n<h3>Privacy Policy<\/h3>\n\n<p>GoldT WebMCP Bridge does not collect, store, or transmit any personal data to external services. All API requests are handled locally on your WordPress installation.<\/p>\n\n<p><strong>Data stored locally:<\/strong>\n* OAuth clients (pre-registered: claude-ai, chatgpt, gemini)\n* OAuth authorization codes (temporary, 10 min expiry, one-time use)\n* OAuth access tokens (temporary, 1 hour expiry)\n* Rate limiting counters\n* User blacklist (WordPress user IDs only)<\/p>\n\n<p>No data leaves your WordPress installation. This applies when using the default settings. If you enable the MyMemory API translation provider, text content will be sent to mymemory.translated.net. See \"External Services\" section for details.<\/p>\n\n<h3>Requirements<\/h3>\n\n\n\n\n  Component\n  Required\n  Notes\n\n\n\n\n  WordPress\n  \u2705 6.0+\n  Core requirement\n\n\n  PHP\n  \u2705 7.4+\n  With json, openssl\n\n\n  Composer\n  \u2705 Yes\n  For dependencies\n\n\n  HTTPS\n  \u26a0\ufe0f Production\n  Required for security\n\n\n  Redis\n  \u2b55 Optional\n  For high traffic\n\n\n\n\n<h3>Credits<\/h3>\n\n<ul>\n<li>Optional <a href=\"https:\/\/github.com\/predis\/predis\">predis\/predis<\/a> support for rate limiting<\/li>\n<li>Compliant with WebMCP protocol specification<\/li>\n<\/ul>\n\n<p><strong>Made with \u2764\ufe0f for the WordPress &amp; AI community<\/strong><\/p>\n\n<!--section=installation-->\n<h4>Automatic Installation<\/h4>\n\n<ol>\n<li>Go to <strong>Plugins \u2192 Add New<\/strong> in WordPress admin<\/li>\n<li>Search for \"GoldT WebMCP Bridge\"<\/li>\n<li>Click <strong>Install Now<\/strong> and then <strong>Activate<\/strong><\/li>\n<\/ol>\n\n<h4>Manual Installation<\/h4>\n\n<ol>\n<li>Download the plugin zip file<\/li>\n<li>Go to <strong>Plugins \u2192 Add New \u2192 Upload Plugin<\/strong><\/li>\n<li>Upload the zip file and click <strong>Install Now<\/strong><\/li>\n<li>Activate the plugin<\/li>\n<\/ol>\n\n<p><strong>Note:<\/strong> All required dependencies are included. No manual setup required!<\/p>\n\n<h4>Setup<\/h4>\n\n<p><strong>No setup required!<\/strong> The plugin works immediately after activation.<\/p>\n\n<p><strong>Optional:<\/strong> Configure rate limits in <strong>GoldT WebMCP \u2192 Settings<\/strong><\/p>\n\n<p><strong>For detailed setup and testing examples<\/strong>, see the <a href=\"https:\/\/github.com\/chgold\/goldt-wp-webmcp-bridge\">plugin documentation on GitHub<\/a>.<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id=\"what%20is%20webmcp%3F\"><h3>What is WebMCP?<\/h3><\/dt>\n<dd><p>WebMCP (Web Model Context Protocol) is a standardized protocol for connecting AI agents to web services. It defines how AI assistants discover, authenticate with, and execute tools on web platforms.<\/p><\/dd>\n<dt id=\"does%20this%20work%20with%20chatgpt%20and%20claude%3F\"><h3>Does this work with ChatGPT and Claude?<\/h3><\/dt>\n<dd><p>Yes! GoldT WebMCP Bridge works with any AI platform that supports REST APIs. This includes ChatGPT (OpenAI), Claude (Anthropic), Make.com, Zapier, and custom applications.<\/p><\/dd>\n<dt id=\"why%20does%20reading%20public%20content%20require%20authentication%3F\"><h3>Why does reading public content require authentication?<\/h3><\/dt>\n<dd><p>All API calls require authentication for security:\n* <strong>Rate Limiting<\/strong> - Prevents spam and abuse\n* <strong>Monitoring<\/strong> - Track who uses your API\n* <strong>Security<\/strong> - Protects against data scraping and DDoS attacks<\/p>\n\n<p>This is the industry standard (Twitter, GitHub, Google APIs all require auth).<\/p>\n\n<p><strong>Exception:<\/strong> The manifest endpoint is public (no auth needed).<\/p><\/dd>\n<dt id=\"how%20does%20the%20ai%20agent%20authentication%20work%3F\"><h3>How does the AI agent authentication work?<\/h3><\/dt>\n<dd><p><strong>OAuth 2.0 Authorization:<\/strong> The AI agent operates as the WordPress user who authorized it.<\/p>\n\n<p>When a user approves access through the OAuth consent screen:\n* The agent receives an access token linked to that user's ID\n* All API requests run with that user's permissions\n* The agent inherits the user's capabilities<\/p>\n\n<p><strong>Security:<\/strong> \n* No passwords are transmitted - only authorization codes\n* PKCE prevents authorization code interception\n* Tokens are time-limited (1 hour) and can be revoked\n* The agent respects WordPress user capabilities<\/p><\/dd>\n<dt id=\"is%20redis%20required%3F\"><h3>Is Redis required?<\/h3><\/dt>\n<dd><p>No, Redis is optional. The plugin works perfectly with WordPress transients. However, Redis is recommended for high-traffic sites (&gt;1,000 requests\/day) as it provides better rate limiting performance.<\/p><\/dd>\n<dt id=\"can%20i%20add%20custom%20tools%3F\"><h3>Can I add custom tools?<\/h3><\/dt>\n<dd><p>Yes! GoldT WebMCP Bridge is extensible. Use WordPress hooks to add custom tools:<\/p>\n\n<pre><code>`php\n<\/code><\/pre>\n\n<p>add_action('goldtwmcp_register_modules', function($goldtwmcp_plugin) {\n    $manifest = $goldtwmcp_plugin-&gt;get_manifest_instance();\n    $manifest-&gt;register_tool('mysite.getStats', [...]);\n});\n    `<\/p>\n\n<p><strong>Important:<\/strong> Place your custom tools in your theme's <code>functions.php<\/code> or a separate plugin - they will be preserved during plugin updates.<\/p>\n\n<p>See the <a href=\"https:\/\/github.com\/chgold\/goldt-wp-webmcp-bridge\">plugin documentation<\/a> for more details.<\/p><\/dd>\n<dt id=\"how%20long%20do%20tokens%20last%3F\"><h3>How long do tokens last?<\/h3><\/dt>\n<dd><ul>\n<li><strong>Access Token<\/strong>: 1 hour (3600 seconds)<\/li>\n<li><strong>Refresh Token<\/strong>: 30 days (2,592,000 seconds)<\/li>\n<\/ul>\n\n<p>Use the refresh token to get a new access token without re-authentication.<\/p><\/dd>\n<dt id=\"can%20i%20revoke%20access%3F\"><h3>Can I revoke access?<\/h3><\/dt>\n<dd><p>Yes! Multiple options:<\/p>\n\n<p><strong>Revoke specific OAuth token:<\/strong>\n* Go to <strong>GoldT WebMCP \u2192 OAuth Tokens<\/strong>\n* Find the token and click \"Revoke\"<\/p>\n\n<p><strong>Block specific user:<\/strong>\n* Go to <strong>GoldT WebMCP \u2192 Settings<\/strong>\n* Enter user ID in \"Block User\" section\n* User cannot authenticate or use existing tokens<\/p><\/dd>\n<dt id=\"how%20do%20i%20troubleshoot%20authentication%20errors%3F\"><h3>How do I troubleshoot authentication errors?<\/h3><\/dt>\n<dd><p><strong>Common issues:<\/strong><\/p>\n\n<ul>\n<li><strong>\"invalid_client\"<\/strong> - Check client_id (use: claude-ai, chatgpt, or gemini)<\/li>\n<li><strong>\"invalid_grant\"<\/strong> - Authorization code expired or already used (codes are one-time, 10 min expiry)<\/li>\n<li><strong>\"access_denied\"<\/strong> - User is blocked (check GoldT WebMCP \u2192 Settings \u2192 Manage User Access)<\/li>\n<li><strong>\"Token expired\"<\/strong> - Access token expired after 1 hour, use refresh token to get new access token<\/li>\n<li><strong>\"Rate limit exceeded\"<\/strong> - Wait for retry period or increase limits in Settings<\/li>\n<\/ul>\n\n<p>Enable WordPress debug mode and check <code>wp-content\/debug.log<\/code> for details.<\/p><\/dd>\n<dt id=\"where%20can%20i%20get%20support%3F\"><h3>Where can I get support?<\/h3><\/dt>\n<dd><ul>\n<li><strong>Community<\/strong>: WordPress.org support forums<\/li>\n<\/ul><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>0.5.3 - 2026-06-01<\/h4>\n\n<ul>\n<li>Fixed: Admin status page was displaying version 0.4.0 instead of the actual plugin version. Changed hardcoded <code>$version = '0.4.0'<\/code> class property to use <code>GOLDTWMCP_VERSION<\/code> constant.<\/li>\n<\/ul>\n\n<h4>0.5.2 - 2026-06-01<\/h4>\n\n<ul>\n<li>Fixed: Replaced deprecated <code>mysql2date()<\/code> calls with <code>gmdate()<\/code> in OAuth tokens admin view (deprecated since WordPress 5.3).<\/li>\n<\/ul>\n\n<h4>0.5.1 - 2026-06-01<\/h4>\n\n<ul>\n<li>Fixed: Settings link in plugins list pointed to non-existent page slug <code>goldtwmcp<\/code> \u2014 corrected to <code>goldt-webmcp-bridge<\/code>.<\/li>\n<li>Fixed: Two unescaped <code>echo<\/code> calls in admin status page wrapped with <code>esc_html()<\/code>.<\/li>\n<li>Removed: Unnecessary WooCommerce recommendation notice (WooCommerce is not required by this plugin).<\/li>\n<\/ul>\n\n<h4>0.4.6 - 2026-05-20<\/h4>\n\n<ul>\n<li>Fixed (security): searchPosts and searchPages now hardcode post_status=publish instead of 'any'. WP_Query with 'any' bypasses WordPress capability checks entirely and returns all posts including other users' drafts \u2014 even to subscribers. Reverted to explicit 'publish'.<\/li>\n<\/ul>\n\n<h4>0.4.5 - 2026-05-19<\/h4>\n\n<ul>\n<li>Fixed: Copy Code button on the OAuth authorization code page (OOB) was silently failing \u2014 the <code>copyCode()<\/code> JavaScript function was missing. Added with <code>navigator.clipboard<\/code> API and <code>execCommand<\/code> fallback.<\/li>\n<li>Added: <code>webmcp-master.ai<\/code> added to the supported platforms list on the <code>\/ai-connect\/<\/code> info page.<\/li>\n<\/ul>\n\n<h4>0.4.4 - 2026-05-19<\/h4>\n\n<ul>\n<li>Fixed: WordPress.org review \u2014 MyMemory external service URLs updated to working addresses.<\/li>\n<li>Fixed: WordPress.org review \u2014 <code>searchPosts<\/code> and <code>searchPages<\/code> now use native WordPress capability filtering (<code>post_status =&gt; 'any'<\/code>): subscribers see only published posts, authors see their own drafts, editors\/admins see all. The <code>status<\/code> parameter has been removed from the tool schema since it is no longer needed.<\/li>\n<li>Fixed: WordPress.org review \u2014 <code>getPost<\/code> and <code>getPage<\/code> now enforce <code>current_user_can('read_post')<\/code> for non-published content, preventing unauthorized access to drafts\/private pages by ID.<\/li>\n<\/ul>\n\n<h4>0.4.3 - 2026-05-19<\/h4>\n\n<ul>\n<li>Fixed: <code>wp plugin check<\/code> warnings \u2014 renamed unprefixed view variables to <code>goldtwmcp_<\/code> prefix; wrapped <code>$table<\/code> in <code>esc_sql()<\/code> in schema-introspection queries; suppressed false-positive <code>PluginCheck.Security.DirectDB<\/code> warnings on whitelisted SQL fragments.<\/li>\n<\/ul>\n\n<h4>0.4.2 - 2026-05-18<\/h4>\n\n<ul>\n<li>Fixed: PHPCS WordPress coding standards compliance \u2014 resolved 16 errors and 3 warnings across <code>class-database.php<\/code>, <code>class-token-registry.php<\/code>, <code>class-oauth-server.php<\/code>, and <code>admin-token-registry.php<\/code>.<\/li>\n<\/ul>\n\n<h4>0.4.1 - 2026-05-13<\/h4>\n\n<ul>\n<li>Added: Manifest now exposes <code>auth.registered_clients<\/code> \u2014 an object mapping each registered OAuth <code>client_id<\/code> to its display name, so AI agents can discover which clients this site accepts without an extra round-trip.<\/li>\n<li>Added: New default OAuth client <code>webmcp-master<\/code> (WebMCP Master) with full scopes (<code>read<\/code>, <code>write<\/code>, <code>delete<\/code>, <code>manage_users<\/code>) \u2014 seeded on fresh installs and idempotently inserted on upgrade for existing sites.<\/li>\n<li>Schema: Database upgrade routine 1.4.0 \u2014 inserts the <code>webmcp-master<\/code> client when missing.<\/li>\n<\/ul>\n\n<h4>0.4.0 - 2026-05-11<\/h4>\n\n<ul>\n<li>Added: Token Registry \u2014 sidecar table (<code>{prefix}aiconnect_token_registry<\/code>) records every issued\/refreshed token (only the 16-char prefix is stored, not the full secret), tracking issued_at \/ expires_at \/ last_used_at \/ revoked_at \/ revoked_by \/ source \/ ip_address.<\/li>\n<li>Added: Admin REST endpoints <code>GET \/wp-json\/goldt-mcp\/v1\/admin\/tokens<\/code> and <code>DELETE \/wp-json\/goldt-mcp\/v1\/admin\/tokens\/{id}<\/code> (manage_options only).<\/li>\n<li>Added: WP-Admin sub-page \"AI Connect \u2192 Token Registry\" to view and revoke active tokens with active \/ revoked \/ all filters.<\/li>\n<li>Improved: Bearer-auth lookups now update <code>last_used_at<\/code> and reject tokens revoked in the registry (defense in depth).<\/li>\n<li>Improved: Token revocation is now a soft-delete (revoked_at + revoked_by) instead of a hard delete; refresh-token rotation also flows through the registry.<\/li>\n<li>Schema: Database upgrade routine 1.3.0 \u2014 creates the new table on activation and on upgrade, with column-by-column ALTER fallback for partial pre-existing installs.<\/li>\n<\/ul>\n\n<h4>0.3.3 - 2026-05-06<\/h4>\n\n<ul>\n<li>Fixed: Removed \"Powered by AI Connect\" credit link from public-facing info page (WordPress.org compliance)<\/li>\n<\/ul>\n\n<h4>0.3.2 - 2026-04-12<\/h4>\n\n<ul>\n<li>Fixed: \"Revoke All Tokens\" button now actually revokes all active tokens in the database<\/li>\n<li>Fixed: Tool names now use lowercase module prefix (wordpress.searchPosts) per WebMCP protocol spec<\/li>\n<li>Improved: CSS\/JS extracted to assets\/ using wp_enqueue_style\/wp_enqueue_script (WordPress.org compliance)<\/li>\n<li>Improved: Admin settings page cleaned up - removed irrelevant status rows<\/li>\n<li>Added: External Services disclosure for MyMemory API (WordPress.org compliance)<\/li>\n<\/ul>\n\n<h4>0.3.0<\/h4>\n\n<ul>\n<li>Added: Translation Provider setting (AI Self-Translate, MyMemory API, or Disabled)<\/li>\n<li>Added: TranslationModule with MyMemory API integration (translate, getSupportedLanguages)<\/li>\n<li>Added: Dynamic manifest instructions to prevent AI agents from inventing capabilities<\/li>\n<li>Improved: OAuth client_id is now optional (defaults to 'claude')<\/li>\n<li>Improved: Fuzzy client_id matching (recognizes variants like gemini_client, claude_ai)<\/li>\n<li>Improved: Specific OAuth error messages instead of generic errors<\/li>\n<\/ul>\n\n<h4>0.2.1 - 2026-03-06<\/h4>\n\n<ul>\n<li><strong>Security<\/strong>: Added OAuth scope validation - users must explicitly grant permissions for each tool<\/li>\n<li><strong>WordPress.org Compliance<\/strong>: Fixed inline scripts\/styles - moved to wp_enqueue_script\/style<\/li>\n<li><strong>WordPress.org Compliance<\/strong>: Removed \/status endpoint per security review<\/li>\n<li><strong>WordPress.org Compliance<\/strong>: Updated .distignore to exclude vendor development files<\/li>\n<li><strong>Fixed<\/strong>: Updated Bearer_Auth endpoint paths to current plugin slug<\/li>\n<li><strong>Improved<\/strong>: 3-layer security architecture (authentication, rate limiting, authorization)<\/li>\n<\/ul>\n\n<h4>0.2.0 - 2026-02-23<\/h4>\n\n<ul>\n<li><strong>Security<\/strong>: Migrated to OAuth 2.0 with PKCE for secure authentication<\/li>\n<li><strong>Added<\/strong>: 8 pre-registered AI clients (Claude, ChatGPT, Gemini, and more)<\/li>\n<li><strong>Added<\/strong>: Parameter validation and resource limits (prevents abuse)<\/li>\n<li><strong>Improved<\/strong>: Security hardening - comprehensive input validation<\/li>\n<\/ul>\n\n<h4>0.1.2 - 2026-02-19<\/h4>\n\n<ul>\n<li>Added: Translation support for 12 languages<\/li>\n<\/ul>\n\n<h4>0.1.1 - 2026-02-16<\/h4>\n\n<ul>\n<li>Improved: Bundled all dependencies - no manual setup required<\/li>\n<\/ul>\n\n<h4>0.1.0 - 2025-02-13<\/h4>\n\n<ul>\n<li>Initial public release<\/li>\n<li>WebMCP protocol support<\/li>\n<li>5 WordPress core tools<\/li>\n<\/ul>","raw_excerpt":"Bridge for 8 AI agents (Claude, ChatGPT, Grok, more) via WebMCP with OAuth 2.0","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/as.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/283845","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/as.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/as.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/as.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=283845"}],"author":[{"embeddable":true,"href":"https:\/\/as.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/chagold"}],"wp:attachment":[{"href":"https:\/\/as.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=283845"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/as.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=283845"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/as.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=283845"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/as.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=283845"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/as.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=283845"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/as.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=283845"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}