WordPress · Domain verification

The neuroon-search plugin does not use meta tags or DNS records to verify the domain. It relies on the API Key + the Origin header: when you click Verify Domain in the admin, the plugin sends POST /api/plugin/shops/verify with the current domain and the backend compares it (after normalizeUrl) against the shop.url already registered in Neuroon.

Citation: handlers admin_post_neuroon_verify / admin_post_neuroon_unverify in wordpress-plugin/neuroon-search/neuroon-verification.php and endpoints listed in wordpress-plugin/CLAUDE.md.

How the flow works

1. You generate the Shop API Key in the Neuroon dashboard.

2. Paste it into Settings → Neuroon Search → Settings tab.

3. Click Verify Domain.

4. The plugin sends:

   POST/api/plugin/shops/verify

   POST /api/plugin/shops/verify HTTP/1.1
   Host: dev-api.neuroon.ai
   X-Shop-API-Key: sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
   Origin: https://your-domain.example
   Content-Type: application/json
   
   {"domain": "https://your-domain.example"}

5. If the normalized domain matches the registered shop.url, the backend returns:

   {
     "shopId": "shop_xxxxxxxx",
     "verificationCode": "vc_yyyyyyyy",
     "domain": "https://your-domain.example",
     "name": "Your Shop"
   }

6. The plugin stores neuroon_shop_id, neuroon_verification_code and sets neuroon_verified = 1 in wp_options. The Products, Widget and Diagnostics tabs appear.

Retrieve verification data

To inspect the current state without re-verifying:

GET/api/plugin/shops/{shopId}/verification-data

curl -s "https://dev-api.neuroon.ai/api/plugin/shops/$NEUROON_SHOP_ID/verification-data" \
  -H "X-Shop-API-Key: $NEUROON_API_KEY" \
  -H "Origin: https://your-domain.example"

Returns { verificationCode, instructions, verified } (VerificationDataDTO in ShopResponseDTO.java:25). Useful for diagnostics without touching the write flow. Note: the POST /verify returns a different payload (PluginVerificationDataDTO { shopId, verificationCode, domain, name }).

Unverify

If you sell the shop, move domains or want to rotate credentials:

DELETE/api/plugin/shops/{shopId}/verify

curl -X DELETE "https://dev-api.neuroon.ai/api/plugin/shops/$NEUROON_SHOP_ID/verify" \
  -H "X-Shop-API-Key: $NEUROON_API_KEY" \
  -H "Origin: https://your-domain.example"

From the admin, Settings tab → Unverify Domain triggers the same call and clears local options.

Rotate the API Key

API Keys are revocable. If a key has leaked:

1. Generate a new key in the Neuroon dashboard.
2. Update Settings → Neuroon Search → API Key and save.
3. Revoke the old one from the dashboard.

The plugin does not store the key in plaintext outside wp_options (neuroon_api_key). On shared environments, restrict database access and consider moving the key to a constant in wp-config.php with a custom filter.

Common errors

Code	Cause	Fix
401 Unauthorized	Invalid or revoked API Key	Regenerate and re-paste the key.
403 Forbidden	Origin does not match the registered domain	Check get_site_url(). Aliases (www. vs apex) must match the URL stored in shop.url.
404 Not Found	The shopId does not exist or does not belong to your key	Click Verify Domain from scratch; the plugin rewrites neuroon_shop_id.
429 Too Many Requests	Rate limit verification (20/min) or verify-action (5/5min) exceeded	Wait for Retry-After. The plugin absorbs it via Neuroon_Rate_Limit_Handler.

Best practices

• Verify from the canonical domain you intend to use in production. If your shop forces https://www.example.com, do not verify https://example.com.
• Do not expose the API Key to the frontend. It is used only server-to-server from PHP.
• Re-verify after a URL change (siteurl or home in WP). The backend compares normalizeUrl(domain) exactly.

Next steps

• Product sync — the Products tab is enabled only after verifying.
• Authentication · Shop API Key — scope, rotation and rate limits.
• Reference · Errors — codes catalog.