Skip to content
CHADA Store
Browse plugins

REST API reference

WooFraudGuard exposes a REST namespace at /wp-json/woofraudguard/v1/. Cookie-authenticated access from the admin UI is always free; external (token-based) access requires an Enterprise license.

Authentication

  • Cookie — works when called from a wp-admin context. Every request needs an X-WP-Nonce header (the React app handles this automatically).
  • Application Passwords — recommended for server-to-server access. Generate one under Users → Profile → Application Passwords and use HTTP Basic Auth.
  • OAuth1 / OAuth2 — both supported via standard WP plugins (WP REST API OAuth1, miniOrange OAuth2 Server, etc.).

Endpoints

GET /scores

Paginated list of scored orders.

GET /wp-json/woofraudguard/v1/scores?per_page=20&page=1&decision=hold&min_score=50

200 OK
{
  \"items\": [{
    \"id\": 42, \"order_id\": 1042,
    \"order_number\": \"1042\", \"customer_email\": \"...\",
    \"total_score\": 78, \"decision\": \"hold\",
    \"created_at\": \"2026-05-18 22:33:09\",
    \"top_reasons\": [\"Email on blocklist\", \"IP risk\", \"Behavioural anomalies\"]
  }, ...],
  \"total\": 153, \"total_pages\": 8, \"page\": 1, \"per_page\": 20
}

GET /scores/{id}

Full detail for one score, including every rule hit (firing or dormant), the LLM explanation, linked orders, chargebacks, and blockable atoms.

POST /scores/analyze/{order_id}

Re-score an existing order. Returns the new score id. Does not change the order status — produces a new row in wfg_risk_scores for comparison with the historical score.

POST /scores/{id}/explanation

Regenerate the LLM explanation for an existing score. Useful after switching locale.

GET /metrics

Rolling 30-day dashboard metrics — counts, averages, top rules.

GET /blocklist

Paginated list of blocklist entries with type filter and value search.

POST /blocklist

POST /wp-json/woofraudguard/v1/blocklist
{
  \"type\": \"email\",
  \"value\": \"buyer@example.com\",
  \"reason\": \"Auto-blocked from chargeback\",
  \"duration_seconds\": 0  // 0 = permanent
}

DELETE /blocklist/{id}

Remove a blocklist entry.

GET /settings

Read all WooFraudGuard settings (thresholds, rule weights, action playbook, integration keys redacted).

POST /settings

Update settings. Partial updates are supported — only fields present in the body are written.

Errors

All errors follow the standard WP_Error shape:

{
  \"code\": \"woofraudguard_not_found\",
  \"message\": \"Score not found.\",
  \"data\": { \"status\": 404 }
}