=== Infospica Headless API ===
Contributors: pushpasharmila
Tags: headless, rest api, wordpress api, headless cms, acf
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

WordPress REST API plugin for headless CMS — custom namespace, full CRUD, CPT support, ACF integration, and secure authentication.

== Description ==

**Infospica Headless API** is a WordPress REST API plugin that transforms your WordPress site into a secure, scalable headless CMS with fully isolated custom REST API endpoints.

Build modern frontend applications using Next.js, React, Vue, Angular, or mobile apps — powered by WordPress as a backend API, without touching the default WordPress REST API.

**Looking for a secure WordPress REST API plugin for headless CMS?** Infospica Headless API gives you a custom namespace, full CRUD support, ACF field access, and authentication control — all from a clean WordPress admin UI.

== Why use Infospica Headless API? ==

Most developers using WordPress as a headless CMS face the same problems: the default REST API exposes too much data publicly, offers no namespace control, and has weak write protection.

Infospica Headless API solves all of that with a dedicated, configurable API layer purpose-built for modern headless WordPress architectures.

**Key advantages:**

* Fully isolated API namespace — no interference with default WordPress REST API
* Every endpoint requires authentication — no accidental public data exposure
* Write operations are locked to WordPress capability checks
* Works with any headless frontend: Next.js, Nuxt, React, Vue, Angular, or mobile

== Key Features ==

* **Custom WordPress REST API namespace** with version control (`/wp-json/my-api/v1/`)
* **Full CRUD endpoints** — GET, POST, PUT, PATCH, DELETE
* **Supports Pages, Posts, and Custom Post Types (CPT)**
* **ACF field support** — include Advanced Custom Fields in API responses
* **Authentication-aware** — all endpoints require authentication; write operations require capabilities
* **CSRF protection** — nonce validation enforced for cookie-based authentication
* **Pagination** — `?page` and `?per_page` on all list endpoints (max 50 per page)
* **WooCommerce-safe** — core WooCommerce pages automatically excluded
* **Clean admin UI** — manage namespace, version, and enabled content types
* **Clean uninstall** — removes all plugin options on uninstall

== Use Cases ==

* **Headless WordPress with Next.js** — fetch posts, pages, and CPTs via secure REST API
* **WordPress REST API for React or Vue** — isolated namespace, no public data leakage
* **Mobile app backend** — use WordPress as a content API for iOS or Android apps
* **SaaS platforms** — use WordPress as a headless CMS for multi-tenant applications
* **ACF API** — expose Advanced Custom Fields data via authenticated REST endpoints
* **CPT API** — serve Custom Post Type data to any external frontend or service

== Security ==

* All endpoints require authentication — including read (GET) requests
* Write operations require WordPress capability checks (`edit_posts`, `delete_posts`)
* Nonce validation enforced for all cookie-based write requests (CSRF protection)
* Email addresses and sensitive user data never included in API responses
* WooCommerce core pages (Shop, Cart, Checkout, My Account) excluded automatically

== Authentication ==

All endpoints require authentication.

**Supported methods:**

* **Application Passwords** (recommended) — available since WordPress 5.6; generate under Users → Profile and send as Basic Auth header
* **WordPress login cookies** — for browser or admin usage; write requests require `X-WP-Nonce` header or `_wpnonce` parameter
* Any authentication method that correctly sets the WordPress user context

Write operations are additionally restricted by WordPress user capabilities.

== Available Endpoints ==

Base URL structure:

`/wp-json/{namespace}/{version}/`

Example:

`/wp-json/my-api/v1/`

= Status =

`GET /status`

= Pages =

`GET /pages`
`GET /pages/{id}`
`POST /pages`
`PUT /pages/{id}`
`PATCH /pages/{id}`
`DELETE /pages/{id}`

= Posts =

`GET /posts`
`GET /posts/{id}`
`POST /posts`
`PUT /posts/{id}`
`PATCH /posts/{id}`
`DELETE /posts/{id}`

= Custom Post Types =

`GET /{post-type}`
`GET /{post-type}/{id}`
`POST /{post-type}`
`PUT /{post-type}/{id}`
`PATCH /{post-type}/{id}`
`DELETE /{post-type}/{id}`

== Pagination ==

All list endpoints support pagination parameters:

`?page=1&per_page=10` (maximum 50 results per page)

Example:

`/wp-json/my-api/v1/posts?page=2&per_page=5`

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/infospica-headless-api/`
2. Activate the plugin from the **Plugins** screen in WordPress admin
3. Navigate to **Infospica Headless API** in the admin menu
4. Set your API namespace, version, and enable the content types you need
5. Save settings
6. Use the generated endpoint URLs in your headless frontend or mobile app

== Frequently Asked Questions ==

= What is a headless WordPress REST API plugin? =

A headless WordPress REST API plugin lets you use WordPress purely as a content backend, serving data to any frontend — Next.js, React, Vue, Angular, or a mobile app — via REST API endpoints. Infospica Headless API creates a secure, isolated custom namespace for this purpose, separate from the default WordPress REST API.

= Does this replace the default WordPress REST API? =

No. Infospica Headless API creates a completely separate custom REST namespace. The default WordPress REST API at `/wp-json/wp/v2/` remains fully unchanged and unaffected.

= How is this different from the default WordPress REST API? =

The default REST API exposes data publicly without authentication. Infospica Headless API creates an isolated namespace where every endpoint requires authentication, write operations are capability-checked, and you control exactly which content types are exposed.

= Is authentication required for all endpoints? =

Yes. Every endpoint — including GET (read) requests — requires authentication. Write operations additionally require the appropriate WordPress capability (`edit_posts`, `delete_posts`, etc.).

= How do I authenticate API requests from a Next.js or React app? =

Use WordPress Application Passwords (available since WordPress 5.6). Generate one under Users → Profile, then send it as a Basic Auth header with every API request. This is the recommended method for all headless frontend applications.

= Does it support ACF (Advanced Custom Fields)? =

Yes. Enable ACF support in the plugin settings to include ACF custom fields in API responses. Advanced Custom Fields must be installed and active.

= Does it support Custom Post Types (CPT)? =

Yes. Any public CPT with `show_in_rest` enabled will automatically get REST API endpoints once CPT support is enabled in the plugin settings.

= Does it work with WooCommerce? =

WooCommerce core pages (Shop, Cart, Checkout, My Account) are automatically excluded from page responses to prevent conflicts. Full WooCommerce product API support may be added in a future release.

= Can I use this for a Next.js headless WordPress site? =

Yes. This plugin is built specifically for headless WordPress architectures. Use Application Passwords for authentication and call the REST API endpoints from your Next.js `getStaticProps`, `getServerSideProps`, or App Router server components.

= What is the best WordPress REST API plugin for headless CMS? =

If you need a secure, isolated REST API namespace with full CRUD support, CPT integration, ACF compatibility, and authentication control — Infospica Headless API is purpose-built for exactly that use case.

= Does it support pagination? =

Yes. All list endpoints support `?page=1&per_page=10`. The maximum is 50 results per page.

= Is there a status endpoint to verify the API is working? =

Yes. Send an authenticated `GET` request to `/wp-json/{namespace}/{version}/status` to confirm the API is active and check the current plugin version.

== Screenshots ==

1. Plugin settings page — configure namespace, version, and content types
2. REST API endpoints overview — auto-generated URLs with copy button

== Changelog ==

= 1.0.0 =
* Initial stable release
* Custom namespace-based REST API
* Full CRUD support for Pages, Posts, and CPTs
* ACF field integration
* Pagination support
* Admin UI with endpoint reference
* Clean uninstall

== Upgrade Notice ==

= 1.0.0 =
Initial stable release. No upgrade steps required.

== License ==

This plugin is licensed under GPLv2 or later.
See: https://www.gnu.org/licenses/gpl-2.0.html
