[wp-trac] [WordPress Trac] #64819: Revisit AI provider API key masking & validation

WordPress Trac noreply at wordpress.org
Thu Mar 12 12:05:49 UTC 2026 

#64819: Revisit AI provider API key masking & validation
--------------------------+-------------------------------
 Reporter:  swissspidy    |       Owner:  jorgefilipecosta
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:  7.0
Component:  AI            |     Version:  trunk
 Severity:  normal        |  Resolution:  fixed
 Keywords:  has-patch     |     Focuses:
--------------------------+-------------------------------
Changes (by jorgefilipecosta):

 * owner:  (none) => jorgefilipecosta
 * status:  new => closed
 * resolution:   => fixed


Comment:

 In [changeset:"61985" 61985]:
 {{{
 #!CommitTicketReference repository="" revision="61985"
 Connectors: Add API key source detection and refactor REST
 behaviour/masking.

 Add `_wp_connectors_get_api_key_source()` to detect whether an API key is
 configured via environment variable, PHP constant, or database. The UI
 uses this to show the key source and hide "Remove and replace" for
 externally configured keys.
 Replace `_wp_connectors_validate_keys_in_rest()` and
 `_wp_connectors_get_real_api_key()` with a single `rest_post_dispatch`
 handler, `_wp_connectors_rest_settings_dispatch()`, that masks keys in all
 `/wp/v2/settings` responses and validates on POST/PUT, reverting invalid
 keys.
 Simplify `_wp_register_default_connector_settings()` by replacing the
 closure-based `sanitize_callback` and `option_` mask filter with plain
 `sanitize_text_field`, since masking is now handled at the REST layer.
 Enrich `_wp_connectors_get_connector_script_module_data()` to expose
 `keySource`, `isConnected`, `logoUrl`, and plugin `isInstalled` /
 `isActivated` status to the admin screen.
 Update `_wp_connectors_pass_default_keys_to_ai_client()` to skip keys
 sourced from environment variables or constants and read the database
 directly via `get_option()`.
 Set `_wp_connectors_init` priority to 15 so the registry is ready before
 settings are registered at priority 20.

 Backports https://github.com/WordPress/gutenberg/pull/76266.
 Backports https://github.com/WordPress/gutenberg/pull/76327.

 Props jorgefilipecosta, gziolo, swissspidy, flixos90.
 Fixes #64819.
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64819#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list