FREE PRO
Auth & Rate Limiting β
The Auth & Rate Limiting panel manages which WordPress users have access to the REST API, which authentication methods are accepted, and what rate quotas apply.
In the free tier, users and rate limits are configured globally and apply across all routes and requests.
In Pro, each Application defines its own auth methods, allowed origins, allowed IPs, allowed HTTP methods, and user list. Users belong to an application and per-user settings can narrow β but never relax β the application-level defaults.
Free Tier β
Global Settings β
Authentication and rate limiting enforcement is toggled in the Routes panel:
- Enforce Authentication β requires a valid authenticated request on all WordPress core REST endpoints.
- Enforce Rate Limiting β applies the global quota to all routes.
User Entries β
Each entry links a WordPress user to an optional rate limit quota. When the module is enabled, authenticated requests are checked against this list before the endpoint is reached.
User Identity
User links this entry to an existing WordPress user account.
Enabled toggles activation for this user without deleting the entry.
Rate Limiting
Window (seconds) defines the time period over which requests are counted. For example, 60 means one minute.
Max Requests is the maximum number of REST API requests allowed within one window. When exceeded, the firewall returns 429 Too Many Requests until the window resets. Leave both fields empty to grant unrestricted access while still tracking the user.
Block Time is how long an IP is blocked after exceeding the max requests threshold.
Blacklist Threshold is the number of times the max requests limit must be hit before the IP is automatically blacklisted.
Pro β Application-level Defaults β
When the Auth & Rate Limiting module is active for an application, the following defaults apply to every user in that application:
- Allowed auth methods β accepted authentication mechanisms (WordPress Application Password, JWT, OAuth). Requests using a non-listed method are rejected with
403. - Allowed HTTP methods β permitted verbs across all routes for this application (
GET,POST,PUT,PATCH,DELETE). - Allowed IPs β optional IP allowlist. Requests from unlisted IPs are rejected.
- Allowed origins β optional origin allowlist. Requests from unlisted origins are rejected.
- Default rate limit β maximum requests and time window applied to all users of this application unless overridden at user level.
User-level settings can only be more restrictive, never more permissive.
Pro β Users List β
The users list manages which WordPress users have access to the application.
- Add a user with the add button.
- Enable / Disable a user entry. A confirmation is required.
- Delete one or more users. A confirmation is required.
An application supports an unlimited number of users.
Pro β User Editor β
Accessible from the users list, the user editor lets you configure per-user access rules that narrow the application defaults:
- User β select the WordPress user account this entry applies to.
- Auth method β if multiple methods are allowed at application level, restrict this user to a single one.
- Auth keys β for methods other than WordPress Application Password (which is self-contained), provide the relevant credentials or token.
- Allowed HTTP methods β restrict to a subset of the methods permitted at application level.
- Allowed IPs β narrow to one or more specific IPs.
- Allowed origins β narrow to one or more specific origins.
- Rate limit β override the application default with a lower quota. Rate limits can only be tightened at user level, not relaxed.
FAQ β
Are rate limits shared across applications?
No. In Pro, each user entry belongs to a specific application and its counter is scoped to that application. Use separate user entries per application to keep quotas isolated.
What happens to unauthenticated requests?
Unauthenticated requests are not affected by user entries. To block them, enable authentication enforcement in the Routes panel.
Can a user belong to multiple applications?
Yes. Create a separate user entry in each application. The same WordPress user can have different rate limits, auth methods, and access rules per application.