Documentation · Integration Guide

External API Credentials

This document explains how to handle the external API credentials used by the ADP Car Market Hub plugin safely. It covers where credentials normally come from, what must never be published, how to coordinate values with the providers that issue them, and how to share information for support without exposing secrets.

It is written for any administrator, integrator or partner who handles credential values on behalf of a dealer.

When to use this document

Use this document when you are:

  • Receiving credentials from a provider for the first time and need to know how to store and forward them safely.
  • Coordinating credential rotation between the dealer, the API provider and the WordPress site.
  • Preparing a support request, a screenshot or an export and need to know what to redact.
  • Auditing how credentials are stored on a WordPress installation.

Overview

The plugin can hold credentials for several independent integrations. The exact set depends on which features are enabled, but typical examples include:

  • AutoScout24 API – the OAuth Client ID, Client Secret and Seller ID(s) used by the importer. See AutoScout24 API Setup.
  • AI Assistant – uses the managed Google Gemini configuration in ADP Car Market Hub. The managed Gemini API key is provisioned by AD Promotion in AS24CI\Ai_Config after installation; no AI provider, model or API key has to be entered in the WordPress backend, and no AI key is stored as a WordPress option.
  • Cron token – a randomly generated token used to authenticate the plugin's REST cron endpoint when an external server cron triggers imports. See Server Cron Setup.
  • Webhook secret – a shared secret used to sign outgoing webhook payloads with HMAC-SHA256. See Webhook Integration.

All of these values are stored as WordPress options on the site that runs the plugin. They are never bundled with the plugin itself and must always be supplied by the customer or by their integration partner.

Where the values normally come from

CredentialIssued byNotes
AutoScout24 Client ID / Client SecretAutoScout24 or the integration partner that provisions API access for the dealer.AD Promotion does not issue these. The dealer's website login is not an API credential.
AutoScout24 Seller ID(s)AutoScout24 or the integration partner.The Seller ID is a stable account identifier, not the dealer's display name.
API Base URLAutoScout24 or the integration partner.Determines which environment the plugin talks to. There is no hard-coded host inside the plugin.
AI Assistant (managed Gemini)Provisioned by AD Promotion as part of the managed AI setup.Stored as a PHP constant in AS24CI\Ai_Config, not in wp_options, and never exposed in the WordPress backend. The customer does not enter an AI provider, model or API key.
Cron tokenGenerated automatically by the plugin and revealed in the Import & Limits tab.Anyone who knows the token can trigger an import. Treat it as a secret.
Webhook secretDefined by the dealer or the operator of the receiving system; copied into the plugin and into the receiver.Optional. Without it, payload signatures are not generated.

If a value is unknown, do not invent one. Request it from the party that owns the corresponding system.

What must not be published

The following values must never appear in any public location (public Git repositories, public ticket comments, screenshots embedded in marketing material, blog posts, AI assistants without confidentiality guarantees, public chat channels, or shared documents that are accessible outside the dealer / agency):

  • AutoScout24 Client Secret and any other OAuth secret.
  • The plugin's cron token (anyone with the token can trigger imports).
  • The webhook secret.
  • Full request URLs that already include a ?token=... query parameter.
  • Database backups, wp_options exports or full plugin diagnostic exports without prior redaction.
  • Internal hostnames, private endpoints or non-public URLs that are part of the integration.
  • Personal data of leads, dealer staff or customers.

The AutoScout24 Client ID, the Seller ID and the API Base URL are not technically secret in the same sense as a Client Secret, but they identify the dealer account and should still be treated as confidential and shared only with people who legitimately need them.

Safe handling rules

  • Use a secure channel. Receive and forward credentials through a password manager, an end-to-end encrypted message, or a secure file-transfer tool. Plain email and unencrypted chat are not acceptable.
  • Limit who knows them. Only the people who actually configure or operate the integration need the values. Remove access when people leave the project.
  • Keep a master copy outside WordPress. The dealer's central password manager is the source of truth. The WordPress installation is just one consumer of the credentials.
  • Rotate after exposure. If a credential leaks, request a rotation from the issuing party immediately, then update the value in the plugin and re-run the Connection Test. For the cron token, regenerate it from the Import & Limits tab. For the webhook secret, change it both in the plugin and in the receiving system.
  • Rotate when access changes. When a person who handled credentials no longer needs access (for example an employee leaves the dealership or the agency), rotate the affected credentials. Removing their WordPress account does not invalidate values they may have copied earlier.
  • Do not commit credentials. Never commit credentials into Git, into a theme, into an mu-plugin, or into any other file that ends up in source control.
  • Mind the field type. The plugin renders the AutoScout24 Client Secret as a password input that is intentionally not pre-filled with the existing value when the page is reloaded. Re-enter the value only when you actually want to change it. The cron token is also rendered with a Show / Hide control — leave it hidden when sharing screenshots.

Coordinating credentials with integration providers

For any integration, follow this coordination pattern:

  1. Request access through the dealer. The dealer is the account holder. Provisioning normally requires a request from the dealer, even when an agency or partner handles the technical work.
  2. Agree on the environment. Confirm with the provider which API Base URL the credentials are valid for. Mixing values from different environments is the most common cause of authentication failures.
  3. Confirm authorisation scope. For AutoScout24, confirm that the Client ID / Client Secret pair is authorised for every Seller ID that should be imported. Multi-seller dealerships often require explicit per-seller authorisation.
  4. Receive values securely. See Safe handling rules above.
  5. Configure and test on the WordPress site. Use API Credentials Setup and the Connection Test before enabling automated imports.
  6. Document who owns what. Record, in the dealer's internal documentation, who is the contact at the API provider, who issued the values and when, and where the master copy of the credentials is stored.
  7. Plan for rotation. Agree on a process for rotating credentials, both on a regular cadence and on demand (after a leak, after staff changes, after a major incident).

For the AI Assistant, the managed Google Gemini configuration in AS24CI\Ai_Config is the source of truth. The customer does not configure, store or rotate an AI provider API key in the WordPress backend; AD Promotion handles managed Gemini provisioning.

Sharing information for support without leaking secrets

When you need to share configuration or log information with AD Promotion or with another support contact:

  • Use the support information described in Support Information Checklist.
  • Redact secrets before sharing. As a minimum, replace the AutoScout24 Client Secret, the cron token and the webhook secret with [REDACTED].
  • For URLs that include a ?token=... query parameter, replace the token with [REDACTED] before pasting the URL into a ticket.
  • Crop or blur the relevant sections of any screenshot that would reveal secrets.
  • The plugin's log directory in wp-content/uploads/as24ci-logs/ does not write the Client Secret in plain text, but it can include URLs and request metadata. Treat the log directory as confidential and review excerpts before sharing them.

Storage on the WordPress site

  • Credentials are stored as standard WordPress options. They can be read by any code with database access on the same site (other plugins, themes, mu-plugins, server-level processes).
  • Database backups, wp_options exports and full server snapshots therefore contain the credentials. Apply the same protections as for any other backup that contains secrets.
  • The plugin does not transmit credentials to AD Promotion or to any third party other than the API provider that the credentials are intended for. The AutoScout24 credentials are sent only to the configured API Base URL. AI prompts go to the managed Google Gemini endpoint configured by AD Promotion in AS24CI\Ai_Config.
  • For details on what the plugin stores in the database, see Data Storage Overview and Database and Storage Reference.

Operational notes

  • Per-environment credentials. Use distinct credentials per environment (production, staging, local). Do not point a staging WordPress site at production AutoScout24 credentials unless you have explicitly agreed this with the dealer; staging activity can otherwise pollute analytics, trigger lead emails, or generate unwanted webhook calls.
  • Migration between environments. When you copy a database from production to staging (or the other way around), review every credential field on the target site. See Staging to Live Migration.
  • Uninstall. When the plugin is uninstalled with the Delete data on uninstall option enabled, the stored options — including credentials — are removed from the database. If the option is disabled, credentials remain in the database after uninstall. See Uninstall and Cleanup Behavior.
  • Verify behaviour in the current version. Specific UI labels, defaults and exact storage keys can change between releases. Verify this behaviour in the current plugin version before publishing customer-facing instructions.

Troubleshooting

SymptomLikely causeWhat to check
Authentication fails immediately after a credential change.A pre-existing access token is still cached.Clear the token cache from Car Market Hub → Tools and re-run the Connection Test.
Authentication fails although the values "look correct".Invisible whitespace, smart quotes, or a swapped character (0 vs O, 1 vs l).Paste each value into a plain-text editor first, trim whitespace, then paste into the field.
The plugin reports that no credentials are configured.The values were entered but the form was not submitted, or a security plugin stripped the request.Re-open the relevant settings tab and confirm the values are saved. Disable security plugins temporarily if they interfere with admin form submissions.
Cron endpoint returns 403.The cron token in the URL does not match the stored token, or the token has been regenerated.Copy the current REST trigger URL from the Import & Limits tab into your server cron job. See Server Cron Setup.
Webhook receiver rejects payloads with an invalid signature.The webhook secret in the plugin and in the receiver no longer match.Re-copy the secret on both ends and resend a test event. See Webhook Integration.
A credential appears to leak into a log or a ticket.Redaction was incomplete.Rotate the credential immediately with the issuing party, then update the plugin and re-test.