Skip to main content
The UTB Product Builder REST API supports three authentication methods. All requests must satisfy at least one to receive a successful response.

Authentication methods

Pass your API key in the X-UTB-API-Key request header. This is the primary method for server-to-server integrations. 
curl https://yoursite.com/wp-json/utb/v1/orders \
  -H "X-UTB-API-Key: your-api-key-here"

2. Bearer Token header

If your environment runs an SSO plugin that intercepts the Authorization header before WordPress can process it, you can pass your API key as a Bearer token instead. The plugin compares the token value against the configured API key using the same constant-time comparison. 
curl https://yoursite.com/wp-json/utb/v1/orders \
  -H "Authorization: Bearer your-api-key-here"
The Bearer token method is not OAuth — it is a trick to bypass aggressive SSO plugins. The token value must be your UTB API key, not an OAuth access token.

3. WordPress user session

A WordPress user who is logged in and has the manage_woocommerce capability can make authenticated requests through the browser session cookie. This is primarily useful for admin scripts running inside WordPress.

Setting up the API key

You can configure the API key in either of two places. The wp-config.php constant takes precedence. Via wp-config.php (recommended) 
define('UTB_API_KEY', 'your-secure-random-key-here');
Via WordPress options Set the option utb_api_key through the WordPress admin or with WP-CLI: 
wp option update utb_api_key 'your-secure-random-key-here'
Generate a strong key with: openssl rand -hex 32

Security

Key comparisons use hash_equals(), which runs in constant time and prevents timing attacks. If no key is configured on the server, the API returns 500 instead of allowing open access.

Error responses

StatusCodeCondition
401rest_forbiddenNo credentials provided
403invalid_api_keyAPI key provided but does not match
500api_key_not_configuredNo API key is set on the server
501oauth_not_implementedA Bearer token was sent that does not match the API key (OAuth not implemented)
All error responses are JSON: 
{
  "code": "invalid_api_key",
  "message": "API Key inválida.",
  "data": { "status": 403 }
}

Access logging

Define UTB_API_LOGGING as true in wp-config.php to enable access logging: 
define('UTB_API_LOGGING', true);
Two log files are written to WP_CONTENT_DIR:
FileContents
utb-api-access.logSuccessful requests (timestamp, action, order ID, params, IP, user agent)
utb-api-failed-auth.logFailed authentication attempts (timestamp, method, first 10 chars of credential, IP)
Each line is a JSON-encoded object: 
{"timestamp":"2026-03-18 14:00:00","action":"get_orders","order_id":null,"params":{"page":1},"ip":"203.0.113.5","user_agent":"curl/8.1.0"}
Log files are plain text on disk and not rotated automatically. Monitor their size in production environments.

Build docs developers (and LLMs) love

Get started for freeTalk to us