Authentication

Every request to Novamira’s MCP server must be authenticated. There is no anonymous access. This page explains how authentication works and how to manage credentials.

How authentication works

Novamira uses WordPress Application Passwords for HTTP transport authentication. Application Passwords are a feature built into WordPress core (since version 5.6) that lets external applications authenticate with WordPress without using your main login password.

The authentication flow:

  1. Your AI client starts the MCP remote proxy (@automattic/mcp-wordpress-remote) with your WordPress username and application password.
  2. The proxy sends requests to your WordPress REST API with the credentials in the HTTP Authorization header (Basic Auth).
  3. WordPress validates the application password against the stored hash for that user.
  4. If valid, WordPress authenticates the request as that user with all their capabilities.
  5. The MCP Adapter checks the permission callback for each ability before executing it.

HTTPS requirement

WordPress requires HTTPS for Application Passwords. This is a security measure built into WordPress core to prevent credentials from being transmitted in plain text.

For local development without HTTPS, you can bypass this requirement by setting the environment type in wp-config.php:

define( 'WP_ENVIRONMENT_TYPE', 'local' );

Do not use this workaround on remote servers. Remote connections must use HTTPS.

STDIO transport authentication

When using the STDIO transport (local development with WP-CLI), authentication works differently. The --user=admin flag in the WP-CLI command specifies which WordPress user to authenticate as. Since WP-CLI runs directly on the server, no network credentials are needed.

Managing Application Passwords

Creating a password

Go to Novamira > Connect and use the Application Passwords section. You can also create application passwords from your WordPress user profile page under Users > Profile > Application Passwords.

Revoking a password

On the Novamira > Connect page, click Revoke next to any application password. Any AI client using that password will immediately lose access. Other application passwords continue to work.

Best practices for Application Passwords

  • Create a separate application password for each AI client or workstation.
  • Give each password a descriptive name (e.g., “Claude Desktop – MacBook”) so you can identify and revoke specific ones.
  • Revoke passwords you no longer use.
  • The Connect page shows “Last Used” timestamps for each password, helping you identify inactive credentials.

What authentication does not do

Authentication verifies who you are, not what you can do. Once authenticated as an admin user, all eight Novamira abilities are available. There is no per-tool or per-session access control beyond the WordPress capabilities system.