# Domain Verification API This API provides endpoints for verifying domain ownership through database storage instead of text files. ## Overview The domain verification system allows the Content Craft AI backend to verify that a user controls a specific domain. Instead of the traditional approach of creating a verification file at the domain root, this system stores the verification token in the WordPress database and exposes it through a REST API endpoint. ## Endpoints ### Get Verification Token ``` GET /wp-json/content-craft-ai/v1/verification ``` **Purpose:** Allows the Content Craft AI backend to verify domain ownership by checking the stored token. **Authorization:** Public endpoint, no authentication required. **Response:** ```json { "success": true, "domain": "example.com", "verification_token": "your-verification-token" } ``` or if no token is set: ```json { "success": false, "message": "No verification token found" } ``` ### Set Verification Token ``` POST /wp-json/content-craft-ai/v1/verification ``` **Purpose:** Sets a verification token for the domain. **Authorization:** Public endpoint, no authentication required. **Headers:** - `Content-Type: application/json` **Parameters:** - `token` (string, required): The verification token to store **Response:** ```json { "success": true, "message": "Verification token saved" } ``` ### Delete Verification Token ``` DELETE /wp-json/content-craft-ai/v1/verification ``` **Purpose:** Removes the verification token from the domain. **Authorization:** Public endpoint, no authentication required. **Response:** ```json { "success": true, "message": "Verification token deleted" } ``` ## Implementation Guide for Backend Developers ### Verification Flow 1. **Generate a Token**: When a user registers or attempts to authenticate from a new domain, generate a unique verification token. 2. **Instruct User**: Ask the user to install the Content Craft AI plugin on their WordPress site if not already installed. 3. **Set the Token**: Use the POST endpoint to set the verification token: ```bash curl -X POST \ https://users-domain.com/wp-json/content-craft-ai/v1/verification \ -H 'Content-Type: application/json' \ -d '{"token": "your-verification-token"}' ``` 4. **Verify Domain Ownership**: Make a GET request to the verification endpoint from your backend: ``` GET https://users-domain.com/wp-json/content-craft-ai/v1/verification ``` 5. **Check Response**: Verify that: - The request was successful - The domain in the response matches the expected domain - The verification token matches the token you generated 6. **Complete Verification**: If verification is successful, update the user's account to allow authentication from the verified domain. ### Security Considerations - Always validate that the domain matches the expected domain to prevent spoofing. - Consider implementing a token expiration system for enhanced security. - Use HTTPS for all API requests to ensure token security during transmission. - The verification token should be a sufficiently long random string to prevent guessing.