Mandate
When an app authenticates with WordPress, it gains the full capabilities of that user. WordPress has no way to limit that.
Mandate adds the policy layer WordPress never ships with.
WordPress authenticates the request. It doesn't limit it.
Application Passwords prove identity. They don't restrict what an authenticated request can do. That falls entirely on the user's capabilities. If that user is an admin, every app that logs in as them has admin-level access.
Today, REST clients, automation platforms, AI agents, management tools, and MCP connectors all make authenticated requests to WordPress. Any of them, if misconfigured or compromised, can do anything that user can do.
Mandate adds what's missing: a policy per Application Password. You define what each credential is allowed to do. Mandate enforces it on every request.
Normal WordPress user sessions are unaffected.
Mandate removes access that apps should never have had.
Read-only integration
- Read posts, pages & media
- No writes or deletes
- No access to settings, users, or plugins
For analytics tools, headless frontends, and reporting dashboards.
Content publisher
- Create, edit & publish posts
- Upload media
- No user management, plugins, or settings
For editorial tools, automation workflows, and AI writing assistants.
WooCommerce reader
- Read orders & products
- No order edits or fulfilment actions
- No access to store settings or users
For reporting integrations, dashboards, and external order management tools.
Pick the app password. Define its scope. Mandate enforces it.
Select the user
Pick the user that owns the app password you want to scope.
Choose the Application Password
Scope one specific credential without touching the user's other passwords or their normal wp-admin access.
Remove unnecessary capabilities
Mandate checks scope on every API request. Anything outside it is blocked before WordPress acts on it.