Decide what data is exposed, who can access it, and how it is shaped. Self-hosted, open-source, built for developers who are done rebuilding the same things from scratch.
SaaS CMSes are convenient until they are not β pricing changes, data lives on someone else's server, and migrating out is painful. WordPress has powered the open web for 20 years. Application Layer gives it the application infrastructure it was always missing.
Authentication, data shaping, API scoping, event automation, security hardening: the features you have been assembling from a dozen plugins on every project, now in one coherent layer β with a clean admin UI, a full hooks API, and zero vendor lock-in.
WordPress exposes a lot by default β user data, internal meta, raw field structures. Application Layer lets you audit every route, globally disable HTTP methods, post types or taxonomies, and in Pro, decide field by field what leaves your server.
Stop massaging responses client-side. Apply sitewide transforms for free: resolve embedded terms, flatten rendered wrappers, strip domain from URLs. Pro adds per-property rename, remap, and fully custom schemas.
One WordPress installation. Multiple applications β each with its own auth method, data view, rate limit, and secret. The same content, safely served to different consumers.
No subscription required for the core feature set. No telemetry. No external dependency. Your WordPress, your server, your rules.
Use WordPress as the content back-end for a React, Next.js, Nuxt, or mobile app. Enforce authentication, transform responses to match your front-end schema, and keep WordPress internals invisible to consumers.
Self-host your content infrastructure. Keep editorial teams on a familiar interface while giving developers a clean, controlled API β without recurring costs or third-party data custody.
Serve multiple client applications from a single WordPress back-end. Isolate authentication, content views, and rate limits per application β each client sees only what they are entitled to.
Serve content in multiple languages across separate websites or applications, each with its own REST API scope, response schema, and delivery configuration.
| Feature | Free | Pro |
|---|---|---|
| REST API route explorer | β | β |
| Authentication & Rate Limiting | β | β |
| Properties & Models (sitewide transforms) | β | β |
| Routes: global method / post-type / taxonomy disable | β | β |
| WordPress Security Hardening | β | β |
| Webhook (single, post lifecycle events) | β | β |
| Hooks & Filters API | β | β |
| Multiple Applications | β | β |
| Global IP Filtering (shared blocklist, runs before app resolution) | β | β |
| Global IP Filtering: CIDR ranges + country blocking | β | β |
| Per-Application IP Filtering (additional app-scoped blocks) | β | β |
| Per-Application IP Filtering: CIDR + country blocking + retention time | β | β |
| Collections & Sort Order | β | β |
| Properties & Models (per-property control + custom schemas) | β | β |
| Settings Route schema editor (ACF options, menus) | β | β |
| Per-Route Policy (per-route disable, redirect, user restriction) | β | β |
| Automations | β | β |
| Multiple Webhooks (unlimited, per application) | β | β |
| Email Templates | β | β |
| Request Logs & Audit Trail | β | β |
The next modules in development:
WooCommerce Bridge
Headless access to WooCommerce β products, cart, checkout, and Stripe/PayPal payments β through the same application security layer.
Forms Bridge
Secure form submission endpoints with entry management, configurable data retention, GDPR options, and AES-256 encryption. Compatible with WPForms and Contact Form 7.
Site Import / Export
Cherry-pick content and configuration to sync, migrate, or replicate between WordPress installations through the REST API β powered by the same field mapping already in Models.
Editorial Workflow
Authors scoped to their own posts and media. Validation workflows, co-authoring, post duplication, post type conversion, and multi-author taxonomies β for production editorial teams.
Static Pages & Custom URLs
Spin up static landing pages on any domain directly from WordPress. Choose any URL pattern for posts and pages β free from WordPress's default URL constraints.
Database Encryption
An optional encryption layer for sensitive data stored in wp_options and custom tables β transparent to the application.
