Skip to content

Endpoints and Request Flows

Runtime routes are public by design and apply validation/security in callbacks. Administrative AJAX routes use nonces and capability checks in the audited managers.

The endpoint reference separates public visitor routes, signed WhatsApp webhooks, design-preview stubs, and authenticated administrator AJAX actions. Public permission callbacks allow the browser/provider to reach WordPress; validation, token format, message security, or HMAC checks happen inside the callback. Reverse proxies must preserve server-sent streaming and the raw signed Meta body.

The practical starting point is to confirm /wp-json/ai-website-chat/v2/token returns a 32-hex token. Continue through the workflow until you inventory admin ajax actions from each manager before adding proxy/cache rules, then use the field notes below to understand which choices affected AI output and which only changed delivery, access, or presentation.

Use this reference for reverse-proxy, caching, monitoring, integration, and security review.

Use this feature in the following situations:

  • You are configuring caching, a reverse proxy, monitoring, or firewall rules around SmartSite traffic.
  • You need to trace a browser or WhatsApp request through validation and logging.
  • You are reviewing whether an apparent endpoint documented elsewhere exists in the core or preview namespace.
WordPress locationDeveloper reference — WordPress REST API and admin-ajax.php
  • A staging site and a generated WordPress REST base URL.
  • Authorization to inspect sanitized HTTP requests.
  • No live credentials in commands or captured traffic.
  1. Confirm /wp-json/ai-website-chat/v2/token returns a 32-hex token.
  2. Trace POST /chat as a server-sent event stream through validation, security, assistant, routing/knowledge, tools, OpenAI, and logging.
  3. Trace GET /messages with valid token and its maximum 100-message request.
  4. Trace /wp-json/smartsite/v1/active-channels frontend-safe output.
  5. Trace WhatsApp GET verification and signed POST message processing.
  6. Keep smartsite-design-preview/v1 routes confined to authenticated preview usage expectations.
  7. Inventory admin AJAX actions from each manager before adding proxy/cache rules.

The routes below carry messages, history, channel data, previews, or administrator actions between systems. They do not improve the model by themselves, but a broken stream, altered body, missing token, or rejected signature can prevent a good response from being produced or delivered. Preserve each route’s validation and transport requirements when adding proxies, caches, or monitoring.

Fields, controls, and important values
Field, control, or statusWhat SmartSite Assistant does with itHow to use it and why it matters
GET ai-website-chat/v2/token Public; returns random 32-hex user_token. The public widget uses this route to obtain a random conversation token before sending messages. Keep it reachable without login, rate-monitor unusual use, and never reinterpret the token as verified identity or authorization.
POST ai-website-chat/v2/chat Public callback; validates message/token, streams SSE, performs security/AI/tool flow, and logs. This is the main streamed conversation path through message validation, security, OpenAI, knowledge, tools, state, and logging. Proxies must preserve server-sent events and avoid buffering away the incremental response.
GET ai-website-chat/v2/messages Public callback; requires 32-hex token and requests up to 100 conversation messages. Conversation history is returned only for a correctly formatted token and is capped at the documented limit. Treat the token as pseudonymous access to that history and prevent caches from mixing responses between visitors.
GET smartsite/v1/active-channels Public frontend-safe active channel list. The frontend reads this public, limited route to learn which channel links can be shown. Keep its response free of credentials and internal configuration; it should expose availability, not provider secrets.
GET/POST smartsite/v1/webhook/whatsapp Public verification/inbound route; POST requires valid X-Hub-Signature-256. GET completes Meta’s verification challenge, while POST receives signed WhatsApp events. Preserve the raw request body for signature checking and keep both methods outside page caching and browser-oriented transformations.
CORS Core chat callbacks add Access-Control-Allow-Origin: *. Cross-origin behavior affects whether a browser may call public routes from another origin; it does not replace token, message, capability, or signature validation. Allow only the origins needed by the actual deployment.

Judge Endpoints and Request Flows where its effect is actually consumed—by the administrator, visitor, model, or connected service. The expected result above is more useful than a green badge because it describes the behavior the configuration was meant to produce.

A reverse proxy must not buffer the chat SSE response or rewrite the raw Meta POST body before WordPress validates its signature.

  • Change one part of Endpoints and Request Flows at a time and keep a short record of the previous value and test result.
  • Verify the saved result in the screen, visitor session, or connected service that actually consumes the setting.
Common problems and focused checks
ProblemWhat to check and what to do next
Endpoints and Request Flows is missing or does not match this guide. Confirm the plugin is active and the account can manage WordPress options. Trace the request through capability, nonce or public validation, storage, runtime consumption, and error handling.
A change on Endpoints and Request Flows does not produce the expected result. Keep the exact notice and test case, then review the browser console and WordPress/PHP log. Trace the request through capability, nonce or public validation, storage, runtime consumption, and error handling.
wp rest route list --fields=namespace,route,methods | grep -E 'ai-website-chat|smartsite'
Endpoints and Request Flows
Capture
Create a sequence diagram showing Browser → token/chat/messages, WordPress security/response service, OpenAI, tools, and logger; include WhatsApp as a separate signed flow.
Show
Route namespaces/methods, SSE, validation, OpenAI/tools, logs, WhatsApp signature
Viewport
Desktop, 1440 × 900
Annotate
Use numbered callouts only for controls referenced in the procedure.
Redact
OpenAI keys, tokens, secrets, personal information, private URLs, IP addresses, and conversation text