One-time admin access links

A one-time admin access link is a signed URL that logs a specific WordPress user into wp-admin once, then expires. The agent generates the link through an MCP ability. The link is consumed on first use and stops working after a short window. No password is exchanged, ever.

When you would use them

The typical scenario is pairing Novamira with a browser-automation tool, like Chrome DevTools MCP or Playwright MCP. The AI client uses Novamira to act on the WordPress backend directly, and the browser MCP to navigate, screenshot, and verify the result visually.

For the browser tool to see logged-in admin views, it has to be authenticated somewhere. The two bad options are sharing your password with the AI client or with the browser MCP. The good option is asking Novamira for a one-shot link, handing it to the browser tool, and letting it consume the link on the way in.

How it works

The agent calls the ability with the target user (usually you).
Novamira returns a one-time URL.
The AI client, or the browser MCP it controls, opens the URL.
WordPress consumes the link, signs the user in, and the link stops working immediately.

If the link is never used, it still expires after a short window. There is no long-lived token left behind, no cookie issued to the AI client, no password anywhere in the loop.

Security notes

Each link is signed and tied to a specific user account.
Single-use, with a short time window.
Only administrators (the manage_options capability) can grant access this way, and only for users on the same site.
No password is exposed. The agent never sees a credential.
Recommended for staging environments with backups, in line with general Novamira guidance.