Permissions
Permissions should match the impact of the ability.
| Level | Meaning | Examples |
|---|---|---|
read | Reads analytics, content, experiments, audiences, or schema. | Performance summaries, experiment results, content search. |
write | Creates or updates Accelerate objects. | Create A/B test, update audience, add variant. |
destructive | Stops, removes, or materially finalizes behavior. | Remove variant, stop experiment, call winner. |
WordPress capability tiers#
| Capability | Access level | Example abilities |
|---|---|---|
edit_posts | View and create for authors and above. | Discovery abilities, most execution abilities, query and aggregation. |
manage_options | Administrator-level access. | Stop experiment, broadcast content, export events. |
Authentication methods#
- Application Passwords are recommended for API integrations and AI agents.
- Cookie auth is appropriate for same-origin browser requests inside WordPress admin.
- OAuth 2.0 can be used when the site has a WordPress OAuth plugin configured.
Recommended defaults#
Start AI clients with read-only access. Add write access per workflow, then gate destructive abilities behind explicit human confirmation.
Operator guidance#
Agents should explain the intended change before calling write or destructive abilities, especially for experiments and personalization rules that affect live visitors.