The easy way — you’ll be sent to your own WordPress admin to approve Capraseo in one click, then straight back here. Nothing to copy or type. It grants access as the WordPress user you’re signed in as, so for least-privilege access either sign into WordPress as a dedicated Editor first, or use the tab. Needs WordPress 5.6 or newer, over HTTPS.
An Application Password has the same powers as the user it belongs to, so give Capraseo its own Editor user rather than your personal or admin login. Capraseo only needs to publish posts and upload images — this keeps it away from everything else. It takes about a minute:
/wp-admin), go to Users → Add New. Create a user — e.g. username capraseo — set Role to Editor, and click Add New User.The code is an Application Password (24 letters and numbers, like abcd 1234 EFGH 5678 ijkl 9012) — not your normal login password, which won’t work here. Needs WordPress 5.6 or newer, served over HTTPS. If you don’t see the Application Passwords section, a security plugin may have disabled it.
POST — your app, CMS, or queue takes it from there. Every request is signed so you can be certain it came from us.We’ll generate a signing secret for you when you save. You can send a test payload and copy the secret right after.
X-Capraseo-Signature: sha256=…. Use it on your endpoint to verify the call is genuinely from Capraseo. Treat it like a password.
article.test POST at your URL right now and shows you exactly what your endpoint returned.
Each delivery is a single HTTP POST with a JSON body and these headers:
Content-Type: application/jsonX-Capraseo-Event: article.published (a test send uses article.test)X-Capraseo-Signature: sha256=<hex> — HMAC-SHA256 of the raw body, keyed on your signing secretThe body looks like this:
To verify a request: recompute HMAC-SHA256(raw_body, signing_secret) and compare it (constant-time) to the hex in X-Capraseo-Signature. Respond 2xx to accept the delivery; any other status is treated as a failure.