Authentication

Learn the site-scoped plugin token format and how to use the auth header.

Reading time
4 min reading
Updating
Mar 2026

Token Format

The token format is dku_{prefix}_{secret}. prefix is a randomly generated value; it is not a prod/test tag. secret is 16 characters hex and only its hash is stored on the server.

TOKEN
dku_a1b2c3d4_4f8b91c2e8d04b46a1d7f2aa6c93e5fd
HTTP
Authorization: Bearer dku_a1b2c3d4_4f8b91c2e8d04b46a1d7f2aa6c93e5fd
PHP
$response = Http::withToken('dku_a1b2c3d4_4f8b91c2e8d04b46a1d7f2aa6c93e5fd') ->get('https://status.anchoruptime.com/api/v1/sites/42/status');
JAVASCRIPT
fetch('https://status.anchoruptime.com/api/v1/sites/42/status', { headers: { Authorization: 'Bearer dku_a1b2c3d4_4f8b91c2e8d04b46a1d7f2aa6c93e5fd' } });

Token Generation and Validation

Each token is automatically generated for each account by Anchor during the Ownership Connect flow. The token is kept private by the plugin and is not entered manually.

The plugin broadcasts the verification token for your account via the .well-known endpoint. The anchor panel reads this address; if the token matches, access to the site is opened.

Token Health Check

The GET /sites/{site}/token-info endpoint returns the issued_at, expires_at, last_used_at, capabilities, days_until_expiry and health fields of the token. The health value can be good, warning, critical, expired or revoked.

JSON
{ "issued_at": "2026-03-01T09:10:11.000000Z", "expires_at": "2027-03-01T09:10:11.000000Z", "last_used_at": "2026-03-07T12:22:00.000000Z", "capabilities": ["read_status", "trigger_maintenance"], "days_until_expiry": 358, "health": "good" }