REST API Reference
The plugin replaces WordPress's default /wp-json/ namespace with a custom /api/ prefix and exposes 17 REST endpoints used by the mobile app and the Association App Platform sync connector.
This plugin is API-first. It does not register WordPress shortcodes or Gutenberg blocks. Integration is done entirely through the REST API documented on this page.
Base URL
https://your-wordpress-site.com/api/v1/
Authentication Methods
| Method | Used by | How |
|---|---|---|
| JWT Bearer token | Mobile app | Authorization: Bearer <access_token> |
| Sync API Key | Platform connector | X-Association-Sync-Key: <sync_key> |
| Public (no auth) | Login, register, refresh | None required |
Authentication Endpoints
All authentication endpoints are public (no token required).
POST /api/v1/auth
Log in with email and password.
Request body:
{
"username": "[email protected]",
"password": "secret"
}
Response:
{
"token": "<jwt-access-token>",
"refresh_token": "<jwt-refresh-token>",
"user_email": "[email protected]",
"user_nicename": "member",
"user_display_name": "Jane Smith"
}
POST /api/v1/auth/refresh
Exchange a refresh token for a new access token.
Request body:
{ "refresh_token": "<jwt-refresh-token>" }
Response: Same shape as /auth login response.
POST /api/v1/auth/validate
Check whether an access token is still valid.
Request body:
{ "token": "<jwt-access-token>" }
Response:
{ "code": "jwt_auth_valid_token", "data": { "status": 200 } }
POST /api/v1/auth/signup
Register a new member account.
Request body:
{
"email": "[email protected]",
"password": "secret",
"first_name": "Jane",
"last_name": "Smith"
}
POST /api/v1/auth/logout
Invalidate the current session (FCM token unsubscription).
Requires: Authorization: Bearer <token>
POST /api/v1/auth/login_deeplink
Generate a short-lived JWT for passwordless deep-link login (used for email invitation links).
POST /api/v1/auth/unsubscribe
Remove the device's FCM token from the Firebase subscription list.
Requires: Authorization: Bearer <token>
Sync Endpoints
Used by the Association App Platform v2 Connector to pull and push data during migration and ongoing sync. All sync endpoints require the X-Association-Sync-Key header.
Authentication:
X-Association-Sync-Key: <value from Settings → Association App → Sync>
GET /api/v1/sync/ping
Health check. Returns {"status":"ok"} with no authentication required.
GET /api/v1/sync/members
Pull all member (WordPress user) records.
Query parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
page | int | 1 | Page number |
per_page | int | 50 | Records per page (max 200) |
since | string | — | ISO-8601 or Unix timestamp — return only records modified after this date (incremental sync) |
Response shape (paginated):
{
"data": [ { "id": 1, "email": "...", "first_name": "...", ... } ],
"total": 142,
"page": 1,
"per_page": 50,
"total_pages": 3
}
GET /api/v1/sync/events
Pull event post records. Same pagination and since parameters as /sync/members.
GET /api/v1/sync/conferences
Pull conference post records.
GET /api/v1/sync/documents
Pull document post records including file URL and folder taxonomy.
GET /api/v1/sync/companies
Pull company post records.
GET /api/v1/sync/articles
Pull WordPress post/article records.
PUT /api/v1/sync/members/{id}
Push an updated member record from the new platform back to WordPress (bi-directional sync).
Path parameter: {id} — WordPress user ID
Request body: Partial member object with updated fields.
PUT /api/v1/sync/events/{id}
Push an updated event record from the new platform back to WordPress.
Path parameter: {id} — WordPress post ID
Other App Endpoints
These endpoints serve the mobile app directly (all require Authorization: Bearer <token>):
| Method | Path | Description |
|---|---|---|
GET/POST | /api/v1/events | List / create events |
GET/POST | /api/v1/conferences | List / create conferences |
GET/POST | /api/v1/members | Member directory |
GET/POST | /api/v1/documents | Document library |
GET/POST | /api/v1/companies | Company directory |
GET/POST | /api/v1/notifications | Push notifications |
GET/POST | /api/v1/pages | WordPress pages |
GET/POST | /api/v1/posts | WordPress posts / news |
GET/POST | /api/v1/home | Home dashboard data |
GET/POST | /api/v1/search | Global search |
GET/POST | /api/v1/contact | Contact/enquiry submission |
GET/POST | /api/v1/user | Authenticated user profile |
GET/POST | /api/v1/enquiries | Enquiry records (admin) |
GET/POST | /api/v1/utilities | Utility/helper endpoints |
GET/POST | /api/v1/admin | Admin-only operations |
Error Responses
The API returns standard HTTP status codes:
| Code | Meaning |
|---|---|
200 | Success |
201 | Created |
400 | Bad request — check request body |
401 | Unauthenticated — missing or invalid token |
403 | Forbidden — insufficient permissions |
404 | Resource not found |
500 | Server error |
Error bodies follow the WordPress REST API convention:
{
"code": "jwt_auth_bad_request",
"message": "Bad request. Token not provided.",
"data": { "status": 400 }
}
REST URL Prefix
By default, WordPress routes REST requests through /wp-json/. This plugin hooks into rest_url_prefix to change the prefix to /api:
add_filter('rest_url_prefix', fn() => 'api');
The default WordPress REST endpoints (/wp/v2/*) are also disabled by hooking into rest_endpoints — only the plugin's custom endpoints are accessible.