Introduction

LatePoint API Extension uses an API Keys based authentication system to ensure the security of your data. Each API request must include a valid key to be processed.

API Key Generation

Create a New API Key

  1. Go to LatePoint > API Settings in your WordPress dashboard
  2. Click “Generate New API Key”
  3. Assign a descriptive name (e.g., “Mobile App”, “CRM System”)
  4. Configure the necessary permissions
  5. Copy and save the generated key securely
Important: The API Key is only shown once. If you lose it, you’ll need to generate a new one.

Permission Configuration

Each API Key can have specific permissions for different resources:

Using the API Key

Authentication Header

Include your API Key in the X-API-Key header of each request: 
curl -X GET "https://your-site.com/wp-json/latepoint-api/v1/bookings" \
  -H "X-API-Key: lp_live_1234567890abcdef" \
  -H "Content-Type: application/json"

API Key Types

Development Keys (Test)

For development and testing, use keys that start with lp_test_: 
lp_test_1234567890abcdef
Features:
  • Only work in development environments
  • Limited or simulated data
  • More permissive rate limiting

Production Keys (Live)

For production environments, use keys that start with lp_live_: 
lp_live_1234567890abcdef
Features:
  • Full access to real data
  • Strict rate limiting
  • Complete audit logs

Security and Best Practices

Secure Storage

Never hardcode API Keys in your source code. Use environment variables.
✅ Correct: 
const apiKey = process.env.LATEPOINT_API_KEY;
❌ Incorrect: 
const apiKey = 'lp_live_1234567890abcdef'; // Never do this!

Environment Variables

Configure your API Keys as environment variables:
.env
LATEPOINT_API_KEY=lp_live_1234567890abcdef
LATEPOINT_BASE_URL=https://your-site.com/wp-json/latepoint-api/v1

Key Rotation

  1. Generate a new API Key before the current one expires
  2. Update your application with the new key
  3. Test that everything works correctly
  4. Revoke the previous key once the change is confirmed

Monitoring and Logs

LatePoint API Extension automatically logs:
  • All authenticated requests
  • Unauthorized access attempts
  • Usage by API Key
  • Authentication errors
Access logs at LatePoint > API Settings > Activity Logs.

Rate Limiting

Default Limits

Key TypeRequests per MinuteRequests per Hour
Test1001,000
Live603,600

Rate Limiting Headers

Each response includes information about your current usage: 
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1640995200

Handling Exceeded Limits

When you exceed the limit, you’ll receive a 429 Too Many Requests response: 
{
  "error": {
    "code": "rate_limit_exceeded",
    "message": "Rate limit exceeded. Try again in 60 seconds.",
    "retry_after": 60
  }
}

Authentication Errors

401 Unauthorized

Cause: Missing or invalid API Key 
{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API key"
  }
}
Solution:
  • Verify that you include the X-API-Key header
  • Confirm that the API Key is correct
  • Make sure the key hasn’t expired

403 Forbidden

Cause: Valid API Key but insufficient permissions 
{
  "error": {
    "code": "forbidden",
    "message": "Insufficient permissions for this endpoint"
  }
}
Solution:
  • Review your API Key permissions
  • Contact the administrator to expand permissions

API Key Management

List Active Keys

In LatePoint > API Settings, you can see:
  • All generated API Keys
  • Creation date and last use
  • Assigned permissions
  • Status (active/inactive)

Revoke an API Key

  1. Go to LatePoint > API Settings
  2. Find the key you want to revoke
  3. Click “Revoke”
  4. Confirm the action
Once revoked, the API Key will stop working immediately in all applications that use it.

Next Steps

API Reference

Explore all available endpoints

Error Handling

Learn to handle errors correctly

Rate Limiting

Optimize your request quota usage

Code Examples

See practical implementation examples