API, Network and SSL Requirements

Purpose

ADP Car Market Hub is fundamentally an integration plugin: it spends most of its runtime talking to remote HTTPS endpoints — the AutoScout24 API for vehicles and images, the managed Google Gemini endpoint for optional AI content generation, and (indirectly) WordPress.org for plugin updates. This document specifies the outbound network and TLS expectations the plugin places on the host, and explains how to validate them before going live.

When to use this document

Use this document when you:

• Configure a firewall, egress policy or outbound proxy for a hosting environment.
• Choose an API base URL for the dealer's AutoScout24 market (e.g. .com, .ch, .de, …).
• Investigate connection or authentication errors reported by the importer or by Test Connection.
• Validate TLS, DNS and CA-certificate configuration on a new server.
• Audit which third-party endpoints the plugin will contact in production.

Overview

The plugin exclusively uses WordPress's standard HTTP API (wp_remote_get / wp_remote_post), which uses cURL under the hood, so it inherits the system's TLS/CA configuration and any constants set in wp-config.php for HTTP transports and proxies.

The network profile is:

• Outbound only. The plugin never opens inbound ports beyond what WordPress itself does. The cron trigger is exposed through the standard WordPress REST API, which already runs on the site's existing HTTPS listener.
• HTTPS only. All third-party endpoints are HTTPS on the standard port 443. There are no plain-HTTP fallbacks.
• Token-based authentication. The AutoScout24 API uses OAuth 2.0 client-credentials. The plugin requests an access token from the configured token URL, caches it in a transient until shortly before its expires_in, and sends it as a bearer token on subsequent requests.
• No persistent sockets. Each request is a discrete WordPress HTTP API call with a 30-second timeout for token requests; image downloads use WordPress's standard download timeouts.

Required outbound endpoints

The host must allow outbound HTTPS (TCP/443) to the following destinations.

Mandatory

• AutoScout24 API base URL — configured in Settings → API Base URL, for example https://api.autoscout24.com (other markets use the country-specific host such as api.autoscout24.ch, api.autoscout24.de, etc.). Used for OAuth tokens, listing retrieval and image URL discovery.
• AutoScout24 token endpoint — by default <base URL>/public/v1/clients/oauth/token. A separate Token URL option is available when the OAuth endpoint lives on a different host than the API base.
• AutoScout24 image hosts — the listing payloads return absolute image URLs which are downloaded directly into the WordPress media library. These hostnames vary by market and may change over time, so the firewall policy should allow AutoScout24 image CDNs as a class rather than pinning a single hostname.

Optional

• https://generativelanguage.googleapis.com — required when the AI Assistant is enabled. Used to call the managed Google Gemini endpoint configured in AS24CI\Ai_Config.

Recommended

• https://api.wordpress.org — for WordPress core, theme and plugin update checks.
• The plugin's own site (when called by an external cron) must be reachable from the scheduler that triggers it.

API base URL and token URL

The plugin makes the API base URL and token URL fully configurable so that any AutoScout24 market and any future OAuth host change can be supported without a code update.

• API Base URL (as24ci_base_url). Required. Should be the scheme + host (no trailing slash), for example https://api.autoscout24.ch. The plugin trims trailing slashes and refuses to make calls when this is empty.
• Token URL (as24ci_token_url). Optional. When empty, the plugin derives it as <base URL>/public/v1/clients/oauth/token. Set it explicitly only if AutoScout24 has provided a different OAuth host for your account.
• Token audience (as24ci_token_audience). Optional. When empty, the plugin derives the audience from the base URL's scheme + host.
• Client ID and Client Secret — required credentials provided by AutoScout24.
• Seller ID(s) — comma-separated list of dealer IDs.

After saving, the Tools tab → Test Connection action performs a real OAuth + listing fetch and reports a clear error if any of the above are wrong.

SSL chain and TLS

• Certificates. The host must trust the certificate chains served by AutoScout24 (and by the managed Google Gemini endpoint when AI features are enabled). On modern Linux distributions this is true out of the box; on long-running containers or air-gapped images the CA bundle (/etc/ssl/certs/ca-certificates.crt on Debian/Ubuntu, /etc/pki/tls/certs/ca-bundle.crt on RHEL-family systems) must be kept up to date.
• TLS versions. The plugin uses the system's OpenSSL/cURL stack, which on supported PHP 8.1+ environments negotiates TLS 1.2 or 1.3 by default. AutoScout24 expects modern TLS; sites pinned to older versions will fail with handshake errors.
• No self-signed exceptions. The plugin does not disable certificate verification. Outbound proxies that perform TLS interception must install their own root CA into the system trust store; otherwise every request will fail with a certificate error.
• Inbound TLS. A valid public certificate is also required on the WordPress site itself, both for general WordPress security and so that external schedulers can call the cron REST endpoint without certificate warnings.

DNS, firewalls and proxies

• DNS. The PHP process must resolve the AutoScout24 hostnames (and generativelanguage.googleapis.com when AI features are enabled). On hardened servers with split-horizon or filtered DNS, ensure the plugin's outbound destinations resolve from the application network, not just from the operator's workstation.
• Outbound firewall. Allow TCP/443 to the destinations listed above. If the firewall enforces an explicit allow-list of fully qualified domain names, allow at least the AutoScout24 API host you configured plus the AutoScout24 image-CDN hostnames seen in API responses.
• HTTP proxies. WordPress respects the standard WP_PROXY_HOST, WP_PROXY_PORT, WP_PROXY_USERNAME, WP_PROXY_PASSWORD and WP_PROXY_BYPASS_HOSTS constants in wp-config.php. If your hosting environment forces an outbound proxy, configure these so that wp_remote_* calls go through it.
• Egress IP pinning. Some corporate AutoScout24 accounts may require the dealer to provide the egress IPs the plugin will use. Verify this with your AutoScout24 account manager and reserve a stable egress IP if needed.
• WAF / reverse proxy on the WordPress side. Make sure the WAF does not strip or alter the Authorization header on the cron REST endpoint, and does not cache /wp-json/as24ci/v1/* responses.

Connection testing

The plugin ships several built-in tools for verifying the network and API path end-to-end. Use them in this order:

1. Tools tab → Test Connection. Fetches an OAuth token from the configured token URL and then calls the listings endpoint. A successful response confirms credentials, base URL, audience, DNS, TLS and outbound firewall in one step. Failures return human-readable messages such as "Missing API Base URL", "Token request failed" or specific HTTP error codes.
2. System & Help / Health tab. Surfaces the configured base URL, last-run timestamps, cron mode and the status of optional integrations. Useful as a single dashboard before and after deployment changes.
3. Tools tab → Clear Token Cache. Invalidates the cached OAuth token so the next call obtains a fresh one. Use this immediately after rotating client credentials or changing the token URL.
4. Logs tab. When Test Connection fails, the underlying error (e.g. cURL error 6 "Could not resolve host", error 28 "Operation timed out", HTTP 401 from the token endpoint) is recorded with enough context to point at DNS, firewall, TLS or credential issues.

For deeper command-line validation, the following commands run from the web server itself are usually conclusive:

• DNS: getent hosts api.autoscout24.com (or the configured host).
• Reachability and TLS chain: curl -v https://api.autoscout24.com/ should complete the TLS handshake without certificate errors.
• Token endpoint: curl -v -X POST -d "grant_type=client_credentials" https://<your-token-url> should return an HTTP 4xx with a structured error body, confirming the URL is reachable even without credentials.

Troubleshooting

• "Missing API Base URL". Configure Settings → API Base URL (e.g. https://api.autoscout24.ch) and save before retrying.
• "Missing API credentials (Client ID/Secret)". Paste the credentials supplied by AutoScout24 and save.
• "Token request failed" with HTTP 401/403. Credentials are wrong, expired, or the token URL/audience does not match what AutoScout24 issued the credentials for. Verify in the AutoScout24 partner portal.
• "Token request failed" with HTTP 5xx. Transient AutoScout24-side issue. Retry after a few minutes; the importer will recover automatically on its next cron run.
• cURL error 6 ("Could not resolve host"). DNS is broken on the web server. Check /etc/resolv.conf, the hosting provider's DNS service and any split-horizon configuration.
• cURL error 7 ("Failed to connect"). Outbound firewall is blocking TCP/443 to the destination, or an upstream proxy is required (configure WP_PROXY_* in wp-config.php).
• cURL error 28 ("Operation timed out"). Either network latency or an outbound proxy that delays the connection. Verify reachability with curl -v from the web server itself.
• cURL error 60 ("SSL certificate problem"). The system CA bundle is outdated or an intercepting proxy is presenting an untrusted certificate. Update ca-certificates (or equivalent) and install the corporate root CA into the system trust store.
• Images fail to download even though listings work. Image URLs may live on different AutoScout24 hosts; widen the outbound allow-list to cover the AutoScout24 image CDNs.
• External cron calls return 404 for /wp-json/as24ci/v1/cron-import. WordPress permalinks must be enabled (any setting other than "Plain"). Re-save the Permalinks page and retry.
• External cron calls return 403 "Invalid or missing token". The header or query parameter does not match the saved token. Regenerate the token in the Import & Limits tab and update the scheduler.
• AI calls fail while AutoScout24 calls succeed. The managed Gemini host (generativelanguage.googleapis.com) is not allowed by the outbound firewall, or the managed Gemini configuration in AS24CI\Ai_Config has not been provisioned. The main importer is unaffected.

Related documents

• Technical System Requirements
• WordPress Requirements
• Hosting Requirements
• PHP and Database Requirements
• Cron and Background Processing
• Pre-Installation Checklist