Vexal Documentation by WileyLabs

Machine authentication and contracts

Stable

Applies to: Hub ↔ Intake (and future modules)

Human login and machine authentication are separate systems. Machine credentials never replace WordPress user sessions.

Machine authentication

Per-site machine tokens authorize Hub pulls of module/workspace payloads from connected sites (e.g. Intake). Fail closed on desync, revoke, or contract mismatch.

Credential vault

Outbound credentials are vaulted on Hub. Site reassignment does not casually rotate tokens; rotation is an explicit operator action with audit implications.

Module Manifest contract

Typed module summaries (e.g. Intake Leads card inputs) validated before cache write. Invalid payloads rejected; last-known-good preserved where designed.

Workspace contract

Customer-safe Workspace card payloads (summaries, destinations) separate from full module manifests. Destination URLs are allowlisted (same-site front-end; no wp-admin bleed).

Operator Integration Health

Operator-only visibility into Hub→remote pull health (credential desync vs transport vs contract failures).

See also