API Keys and External Calls
Create an API key and call WP Engine from cURL, TypeScript, and Python
Use API keys when an external system needs to call WP Engine without a browser session. Dashboard users can create and revoke keys from /account/api-keys.
Authentication model
Send API keys in the x-api-key header.
| Tier | Rate limit |
|---|---|
| Free | 100 requests/hour |
| Pro | 1000 requests/hour |
API keys are displayed once when created. Store the key before closing the dialog. If you lose it, revoke the old key and create a new one.
Create a key
- Open
/account/api-keys. - Click Create Key.
- Enter a descriptive name, such as
crm-sync-prod. - Copy the generated key immediately.
- Store it in your secret manager or deployment environment.
Base URL
API reference operations are exposed under:
/api/rpcUse your web app host as the origin:
https://your-web-host.example/api/rpccURL example
curl -X POST "https://your-web-host.example/api/rpc/server/ping" \
-H "x-api-key: $WP_ENGINE_API_KEY" \
-H "content-type: application/json" \
--data '{}'TypeScript example
const baseUrl = "https://your-web-host.example/api/rpc";
const apiKey = process.env.WP_ENGINE_API_KEY;
if (!apiKey) {
throw new Error("WP_ENGINE_API_KEY is required");
}
const response = await fetch(`${baseUrl}/server/ping`, {
method: "POST",
headers: {
"content-type": "application/json",
"x-api-key": apiKey,
},
body: JSON.stringify({}),
});
if (!response.ok) {
throw new Error(`WP Engine API failed: ${response.status}`);
}
const data = await response.json();
console.log(data);Python example
import os
import requests
base_url = "https://your-web-host.example/api/rpc"
api_key = os.environ["WP_ENGINE_API_KEY"]
response = requests.post(
f"{base_url}/server/ping",
headers={
"content-type": "application/json",
"x-api-key": api_key,
},
json={},
timeout=10,
)
response.raise_for_status()
print(response.json())Sending a WhatsApp message
Use the whatsapp.sendMessage operation when an external system needs to send through a connected client.
curl -X POST "https://your-web-host.example/api/rpc/whatsapp/sendMessage" \
-H "x-api-key: $WP_ENGINE_API_KEY" \
-H "content-type: application/json" \
--data '{
"clientId": "00000000-0000-0000-0000-000000000000",
"jid": "15551234567@s.whatsapp.net",
"message": { "text": "Hello from WP Engine" }
}'Replace clientId with a client owned by the API key's user. Replace jid with the WhatsApp JID for the recipient.
Try-It panel
The API reference pages include a Try-It panel. Paste your API key into the authorization field on an operation page. The docs app forwards requests through its proxy route to avoid browser CORS issues.
Security checklist
- Store API keys as secrets, not in source code.
- Use one key per integration so you can revoke access independently.
- Rotate keys when a teammate leaves or a deployment secret leaks.
- Use the dashboard session for human users and API keys for machines.
- Keep admin-only operations, such as proxy seeding, restricted to admin users.