logo
SecurityHow It Works
Security

How Respira Security Works

Respira is designed with security as a core principle: API keys, request validation, safe editing, content sanitization, and audit logging.

How Respira Security Works

Respira is designed with security as a core principle.

Authentication Flow

  1. You generate an API key in WordPress Admin
  2. MCP server sends the key with each request
  3. WordPress validates the key before processing
  4. Actions run through WordPress permissions and capabilities

API Key Security

  • Keys start with respira_
  • Cryptographically random
  • Stored securely (not meant to be shared)
  • Revokable at any time from WordPress Admin

Request Validation

Every request is validated for:

  • Valid API key
  • User permissions for the action
  • Content security (basic XSS / injection safety checks)

Safe Editing Workflow

By default, Respira never modifies live content directly:

  1. Edit request received
  2. Duplicate created as draft
  3. Changes applied to duplicate
  4. Admin reviews in Approve Edits
  5. Approve → duplicate replaces original
  6. Reject → duplicate deleted

Content Security

Use wordpress_validate_security to validate content before saving.

Audit Logging

Many actions are logged (depending on your plan / plugin version). Logs typically include:

  • API key used (or key ID/prefix)
  • Action performed
  • Timestamp
  • Success/failure

FAQ

Can AI delete my live pages?

No, not by default. Respira uses a duplicate-first workflow where write operations create draft copies. You must explicitly approve changes in WordPress Admin (Respira → Approve Edits) before they affect your live content. Only then does the duplicate replace the original.

Who can see my API key?

Only you. API keys are displayed once when created and never shown again in WordPress Admin. They're stored securely and transmitted only between your local MCP server and your WordPress site over HTTPS. Never share your API key or commit it to version control.

What happens if I reject a duplicate?

The duplicate is deleted. Your original content remains completely untouched. This is the safe "undo" mechanism—if you don't like the AI's changes, just reject them and nothing on your live site changes.

Can someone else use my API key?

If your API key is compromised, revoke it immediately in WordPress Admin (Respira → API Keys). Create a new key for your continued use. Each key can be revoked independently, so you can issue different keys for different machines or team members.

Is my content sent to external servers?

Respira communicates only between your local MCP server and your WordPress site. Analysis tools run on your WordPress server. Content is not sent to Anthropic, OpenAI, or other third parties by Respira itself. Your AI assistant (Cursor, Claude Code, etc.) receives the content locally to process your requests.

See Also

Was this page helpful?
Built with Documentation.AI

Last updated Dec 15, 2025