Sticklight

Sticklight Connector provides a structured way to use the WordPress user system in external or React-based applications.

The plugin extends the WordPress REST API with additional endpoints that allow authenticated clients to retrieve user context and interact with WordPress data, while fully respecting core authentication methods, roles, and capability checks.

Sticklight does not replace WordPress authentication. It relies on wp_authenticate for credential validation and WordPress Application Passwords for API access, and follows standard permission checks (current_user_can) for all requests.

Typical use cases

• React applications connected to a WordPress site
• Headless or hybrid WordPress setups
• Admin or user dashboards built outside wp-admin
• External tools that require authenticated access to WordPress data

Features

• Authenticates via wp_authenticate and issues Application Passwords for API access
• Adds REST endpoints for login, logout, and retrieving current user context
• Enforces WordPress capability checks on all requests
• Supports cross-origin headless setups
• Extensible via WordPress hooks and filters

Usage

Login

Authenticate with username (or email) and password:

POST /wp-json/sticklight/v1/auth/login

On success the response includes an Application Password for subsequent API requests and the authenticated user:

{
  "app_password": "XXXX XXXX XXXX XXXX XXXX XXXX",
  "user": {
    "user_id": 1,
    "username": "admin",
    "display_name": "Admin",
    "email": "admin@example.com",
    "roles": ["administrator"]
  }
}

Use the returned app_password with HTTP Basic Authentication for all further requests.

Current user

Retrieve the current authenticated user:

GET /wp-json/sticklight/v1/auth/me

Logout

Revoke the current Application Password session:

POST /wp-json/sticklight/v1/auth/logout

User registration

User creation is handled through the built-in WordPress REST API (POST /wp-json/wp/v2/users) and requires administrator authentication.

Accessing protected data

Requests to any endpoint must pass standard WordPress permission checks. Sticklight does not bypass or override these checks.

Security

Sticklight follows WordPress security practices:

• Authenticates via wp_authenticate, which respects all security plugin hooks (rate limiting, two-factor authentication, brute-force protection)
• Issues Application Passwords scoped to individual sessions
• Does not provide user registration — accounts must be created by an administrator
• Applies capability checks (current_user_can) on all endpoints
• Does not expose private data without proper permissions

For external applications, it is recommended to:

• Use HTTPS
• Restrict allowed origins
• Avoid exposing sensitive endpoints unnecessarily