Token Management

Learn about the site-scoped plugin token format, use cases and security expectations.

Reading time
4 min reading
Updating
Mar 2026

What is a Token?

A site-specific bearer token is generated for each plugin connection. The format is dku_<8-hex-prefix>_<32-hex-secret>; the prefix is a randomly generated value, not a fixed tag.

ÖRNEK TOKEN
dku_a1b2c3d4_4f8b91c2e8d04b46a1d7f2aa6c93e5fd
  • With this token, the plugin can access /status, /metrics, /incidents, /domain-ssl, /audit-log and /maintenance endpoints.
  • The same token is also used to send an instant fatal report via the /fatal endpoint.
  • The token TTL period is 365 days by default.

Where Does Token Come From?

The plugin token is auto-generated by the dashboard when Ownership Connect is successful and is given to the plugin in a JSON response. The token appears masked in the WordPress admin screen; the raw value is not listed again in the UI.

For token health information, the plugin can read the /token-info endpoint. This endpoint returns issued_at, expires_at, last_used_at, capabilities, days_until_expiry and health fields.

Token Renewal

Reset the connection for token refresh.

The token is managed fully automatically; there is no separate refresh or revoke interface on the dashboard side. To reset the connection, simply disconnect by the plugin and restart the ownership flow.

Safety Recommendations

  • Each token is generated by Anchor in the Ownership Connect flow and is valid only for the respective site.
  • Prefer masked outputs and extract the raw token before sharing the debug export.
  • If you are sharing server snapshots or backups, consider the connection data in wp_options.
  • If you have API integrations, keep Authorization: Bearer... in environment variables or a secure vault instead of writing it to the source code.