---
title: Subscriptions API and Auth
menu_group: Subscriptions
menu_order: 50
tab: API/Auth
tab_order: 30
admin_slug: wpst_subscription_api
requires_subscriptions: true
summary: REST authentication, bearer tokens, login endpoints, and security options.
---

# Subscriptions API and Auth

**Location:** MediaBlaster → Subscriptions → **API/Auth** tab

Configure how apps and headless clients authenticate against the MediaBlaster REST API at `/wp-json/mediablaster/v3/`.

## Prerequisites

- `WPST_SUBSCRIPTIONS_ENABLED` set to `true` in `wp-config.php`.
- **Enable REST/API access** on Subscriptions → General.

## Token and login settings

| Setting | Description |
|---------|-------------|
| **Enable app/device API tokens** | Issues Bearer tokens for authenticated API requests. |
| **Token expiry days** | How long access tokens remain valid before refresh. |
| **Allow email/password login endpoint** | `POST /auth/login` for app sign-in. |
| **Allow token refresh endpoint** | `POST /auth/refresh` to renew tokens. |
| **Allow device name registration** | Associates tokens with device labels for admin visibility. |
| **Allow headless registration endpoint** | `POST /auth/register` for app-driven sign-up. |
| **Require verified email before API access** | Blocks API use until WordPress email is verified. |

## Security

| Setting | Description |
|---------|-------------|
| **Require HTTPS for API token login** | Rejects login over plain HTTP in production. |
| **Locked content HTTP status** | Return **403 Forbidden** or **404 Not Found** for unauthorized API content requests. |
| **Log payment payloads (debug)** | Writes redacted payment debug info — use only temporarily. |

An admin warning appears when your site is not served over HTTPS while REST tokens or Stripe checkout are enabled.

## Using the API

Authenticate requests with:

```
Authorization: Bearer {token}
```

Obtain a token via `POST /wp-json/mediablaster/v3/auth/login` with email and password, or register via `/auth/register` when enabled.

Common routes (full detail in [Subscriptions and Apps API](rest-api-subscriptions.md)):

- `GET /me` — authentication state and basic profile
- `GET /subscription/status` — active plan summary (auth required)
- `GET /subscription/tiers` — public tier list
- `GET /app/config` — client-safe Stripe and feature config
- `POST /auth/login`, `/auth/register`, `/auth/refresh`, `/auth/logout`
- `POST /payments/stripe/create-checkout-session` — start checkout

Content catalog and fields: [Content API and Fields](rest-api-content.md). Each item includes `access` and may redact `media.url` when locked.

## Related guides

- [REST API Overview](rest-api-overview.md)
- [Subscriptions and Apps API](rest-api-subscriptions.md)
- [Content API and Fields](rest-api-content.md)
- [Subscriptions General](subscriptions-general.md)
- [Stripe Checkout Setup](stripe-checkout-setup.md) (checkout REST routes)