MksDdn Reddy Auth provides OTP-based authentication with:
- WordPress cookie session login for the frontend (shortcode, or REST with
issue_session: true). - Optional Bearer token issuing for REST clients (
issue_token: true; cookie not set by default on REST login). - Rate limiting and one-time OTP verification.
- Optional site and REST API protection for unauthenticated visitors.
- Optional allowed request sources (Origin/Referer) for plugin REST endpoints.
The plugin maps each Reddy ID to a WordPress user and can create an account automatically on first successful login.
Getting Started
1. Configure the Reddy bot token
For production, define the token in wp-config.php:
define( 'MKSDDN_REDDY_BOT_TOKEN', 'your-bot-token' );
For local development you can store the token in Settings > Reddy Auth instead. Use Bot connection test to verify delivery to a Reddy user.
2. Set up the login page
Create a WordPress page (for example, /login/) and insert:
[mksddn_reddy_login]
Users enter their Reddy ID, receive a one-time code in Reddy, and sign in through the form.
3. Review protection settings
By default, both protection options are disabled so your site stays accessible after activation. Enable them only after the login page is configured:
- Protect site content — redirects unauthenticated visitors to the login page.
- Protect all REST API content — returns
401for protected REST routes.
Public auth routes remain available without login:
POST /wp-json/mksddn-reddy-auth/v1/auth/send-codePOST /wp-json/mksddn-reddy-auth/v1/auth/login
4. Use REST API for headless clients
Typical flow:
POST /auth/send-codewith{ "reddy_id": "123456" }POST /auth/loginwith{ "reddy_id": "123456", "code": "111111", "issue_token": true }for headless clients. Add"issue_session": trueonly when the browser must also receive a WordPress cookie (same-origin SPA).- Call protected REST routes with
Authorization: Bearer <token>. GET /auth/meto read the current user (Bearer or cookie session).POST /auth/logoutto end the cookie session and revoke the Bearer token when provided.
Protect site content checks the WordPress cookie session (shortcode login or REST login with issue_session: true). It does not accept Bearer tokens. Protect all REST API content requires a Bearer token and ignores cookie-only sessions.
Download OpenAPI and Postman files from Settings > Reddy Auth > Developer Resources.
5. Optional: restrict REST callers by browser source
In Settings > Reddy Auth, Allowed request sources limits plugin REST traffic (/mksddn-reddy-auth/v1/*) to listed Origin or Referer URLs. Leave empty to allow any client (recommended for server-to-server integrations). This is a soft guard for browser apps, not a secret key.
External services
This plugin connects to the Reddy bot API at https://bot.reddy.team to deliver one-time passwords and optional admin connection test messages.
What the service is used for
- Deliver OTP codes to a Reddy user during login.
- Send an optional admin “bot connection test” message from Settings > Reddy Auth.
What data is sent and when
- OTP send / login: Reddy user ID (
userKey) and message text containing the one-time code (and expiry hint). Message text is configurable in Settings > Reddy Auth > Bot Messages (placeholders{code},{ttl}). Sent when a user requests a code via the login form or REST API. - Bot connection test: Reddy user ID (
userKey) and a configurable test message from Settings > Reddy Auth > Bot Messages. Sent only when an administrator runs Bot connection test in Settings > Reddy Auth. - Bot token: Your bot token is included in the API request URL path (configured via
MKSDDN_REDDY_BOT_TOKENinwp-config.phpor the development fallback field in settings). It is not sent to WordPress.org.
Data is transmitted only when OTP delivery or the connection test is triggered. The plugin does not send site content, post data, or WordPress user passwords to Reddy.
This service is provided by Reddy: terms of use and privacy policy at https://help.reddy.team/pages/user-agreement
No other third-party services are required for core plugin operation.
