Authentication

For the authentication screen, we have to log in to WordPress using a user account. WordPress requires an app password to get information from the API.

1. Authentication

Authentication is oAuth type now. You need to generate a token by using the user's email and password and send that token with each request. You will also need basic auth for the token request, a client ID and client password, to be provided.

Authorization: Bearer token

You also need to send a header so that you are not checked by cloudflare. This should go with all requests.

x-connect-allow: string

        curl -X POST 'https://maforum.ippf.org/oauth/token' \
  --data 'username=username' \
  --data 'password=password' \
  --data 'grant_type=password' \
  --user 'clientId:clientPassword'
        

{
  "access_token": "kpbnrzo3jo18a7qhtw5ddbb0z45biywsa2uq9r1t",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "basic",
  "refresh_token": "wrumyk9nk9atx9zavggynq0ngv6lkzag8ximyxwj"
}

2. Forgot password

I think this should just open a web view or better yet a browser to https://maforum.ippf.org/portal/?action=lostpassword

You need to send a header to the endpoint to be able to use it.

X-SENPAI-Key

        curl -X POST 'https://maforum.ippf.org/wp-json/custom/v1/register?username=myusername4&email=example@domain.com&password=12345678&password_confirmation=12345678&first_name=John&last_name=Doe&organization=Company&country=Romania&position=Developer' \
  --header 'X-SENPAI-Key: {key}'
        

{
  "success": true,
  "message": "Registration successful! Please check your email to verify your account.",
  "user_id": 1990,
  "verification_required": true
}

{
  "code": "username_exists",
  "message": "This username is already taken. Please choose another.",
  "data": {
    "status": 400
  }
}

4. Account deletion (disable actually)

This is a regular authenticated request with all the normal headers you send. You need to immediately log out the user after.

        curl -X POST 'https://maforum.ippf.org/wp-json/custom/v1/disable-account?password=string' \
  --header 'x-connect-allow: string' \
  --header 'Authorization: Bearer token'
        

password - required to send the user password in order to authenticate the request

{
  "success": true,
  "message": "Your account has been successfully deleted."
}

{
  "code": "invalid_password",
  "message": "Invalid password provided.",
  "data": {
    "status": 403
  }
}

30 September 2025

Authentication

1. Authentication

2. Forgot password

3. Signup

4. Account deletion (disable actually)