WordPress · Domain verification
The neuroon-search plugin does not use meta tags or DNS records to verify the domain. It relies on the API Key + the Origin header: when you click Verify Domain in the admin, the plugin sends POST /api/plugin/shops/verify with the current domain and the backend compares it (after normalizeUrl) against the shop.url already registered in Neuroon.
How the flow works
- You generate the Shop API Key in the Neuroon dashboard.
- Paste it into Settings → Neuroon Search → Settings tab.
- Click Verify Domain.
- The plugin sends:
/api/plugin/shops/verifyPOST /api/plugin/shops/verify HTTP/1.1
Host: dev-api.neuroon.ai
X-Shop-API-Key: sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Origin: https://your-domain.example
Content-Type: application/json
{"domain": "https://your-domain.example"}
- If the normalized domain matches the registered
shop.url, the backend returns:
{
"shopId": "shop_xxxxxxxx",
"verificationCode": "vc_yyyyyyyy",
"domain": "https://your-domain.example",
"name": "Your Shop"
}
- The plugin stores
neuroon_shop_id,neuroon_verification_codeand setsneuroon_verified = 1inwp_options. The Products, Widget and Diagnostics tabs appear.
Retrieve verification data
To inspect the current state without re-verifying:
/api/plugin/shops/{shopId}/verification-datacurl -s "https://dev-api.neuroon.ai/api/plugin/shops/$NEUROON_SHOP_ID/verification-data" \
-H "X-Shop-API-Key: $NEUROON_API_KEY" \
-H "Origin: https://your-domain.example"
Returns domain, verificationCode and verifiedAt. Useful for diagnostics without touching the write flow.
Unverify
If you sell the shop, move domains or want to rotate credentials:
/api/plugin/shops/{shopId}/verifycurl -X DELETE "https://api.neuroon.ai/api/plugin/shops/$NEUROON_SHOP_ID/verify" \
-H "X-Shop-API-Key: $NEUROON_API_KEY" \
-H "Origin: https://your-domain.example"
From the admin, Settings tab → Unverify Domain triggers the same call and clears local options.
Rotate the API Key
API Keys are revocable. If a key has leaked:
- Generate a new key in the Neuroon dashboard.
- Update Settings → Neuroon Search → API Key and save.
- Revoke the old one from the dashboard.
The plugin does not store the key in plaintext outside wp_options (neuroon_api_key). On shared environments, restrict database access and consider moving the key to a constant in wp-config.php with a custom filter.
Common errors
| Code | Cause | Fix |
|---|---|---|
401 Unauthorized | Invalid or revoked API Key | Regenerate and re-paste the key. |
403 Forbidden | Origin does not match the registered domain | Check get_site_url. Aliases (www. vs apex) must match the URL stored in shop.url. |
404 Not Found | The shopId does not exist or does not belong to your key | Click Verify Domain from scratch; the plugin rewrites neuroon_shop_id. |
429 Too Many Requests | Rate limit verification (20/min) or verify-action (5/5min) exceeded | Wait for Retry-After. The plugin absorbs it via Neuroon_Rate_Limit_Handler. |
Best practices
- Verify from the canonical domain you intend to use in production. If your shop forces
https://www.example.com, do not verifyhttps://example.com. - Do not expose the API Key to the frontend. It is used only server-to-server from PHP.
- Re-verify after a URL change (
siteurlorhomein WP). The backend comparesnormalizeUrl(domain)exactly.
Next steps
- Product sync — the Products tab is enabled only after verifying.
- Authentication · Shop API Key — scope, rotation and rate limits.
- Reference · Errors — codes catalog.