WooCommerce — integration guide
WooCommerce is the WordPress e-commerce plugin behind most EU SMB textile/footwear stores. DPP Agent reads via the REST API with a read-only consumer key + secret pair.
What the adapter does, in one sentence
DPP Agent paginates /wp-json/wc/v3/products, folds product
variations into their parents, and emits one DPP row per
GTIN-bearing leaf — Read-only, no WordPress side changes, no
write-back.
Authentication
HTTP Basic with a consumer key + consumer secret pair issued in WP-admin → WooCommerce → Settings → Advanced → REST API → Add key.
Set the key to Read permission. Do not grant Read/Write.
We store the pair as consumer_key:consumer_secret (colon-joined) and
split at runtime. The colon is significant — keys themselves never
contain a colon.
GET <site_url>/wp-json/wc/v3/products?per_page=100&page=1
Authorization: Basic <base64(key:secret)>
Credential handling
Same envelope as the other adapters: AES-256-GCM at rest, the pair is shown redacted in the UI, decrypted in-memory for the duration of a sync only, never logged. Deleting the key from WP-admin invalidates it immediately — the next sync run fails cleanly with HTTP 401.
Scope limitation
1. Read-only consumer key
The key permission level is enforced by WordPress, not by us. With Read permission the consumer pair cannot:
- Create / update / delete products
- Read or modify orders, customers, refunds
- Access store settings, payment gateways, or webhooks
Even if our code were compromised it could not mutate the store.
2. Status filter (default publish)
settings.status = "publish" excludes drafts, private and trashed
products. Only the public, live catalogue is returned.
3. Page size
settings.page_size = 100 (max) keeps the per-page payload to a few
hundred KB and stays comfortably under WordPress's max_execution_time
defaults.
4. Variation handling
When include_variations = Y (default) the adapter fetches each
variable product's variations endpoint and folds them into the parent
before emitting DPP rows. The variations endpoint follows the same
read_products-equivalent permission — no extra scope needed.
5. Network IP allowlist
WordPress doesn't expose an IP allowlist out of the box, but
ModSecurity, Cloudflare, or a host-level firewall can scope the
/wp-json/wc/v3/* endpoints to Vercel's egress IPs.
Settings reference
| Setting | Required | Purpose |
|---|---|---|
site_url |
yes | https://yourshop.com (no trailing slash needed) |
api_version |
no | Default wc/v3 |
page_size |
no | 1–100. Default 100. |
status |
no | Default publish. Set to draft for a dry-run pull. |
include_variations |
no | Y (default) or N. Y is recommended for variable products. |
The credential row is stored as key:secret. Rotate by overwriting
the pair in the UI; the old row is cleared before the new one is
written.
Sync semantics
Conflict policy is the platform default:
- Draft DPPs are overwritten
- Active DPPs spawn
dpp_revisions(status=pending)for human review - Withdrawn / archived / recalled DPPs are skipped
Deletion: if a product is trashed in WooCommerce, the corresponding
DPP remains in dpp_runtime. EN 18219 / EN 18223 retention rules apply.
Onboarding sequence
- WP-admin → WooCommerce → Settings → Advanced → REST API → Add key
- Description:
DPP Agent, User: a service account, Permissions: Read - Copy the consumer_key + consumer_secret pair (shown once)
- In DPP Agent → Integrations → Add WooCommerce → paste
site_urland the credential pair askey:secret - Connection test pulls 1 page and reports the product count
- First sync,
sync_max_pages = 2-3 - Review draft DPPs in admin; verify variations folded correctly
- Full sync once mapping is locked
- Cron picks up the schedule (6h default, per-tenant configurable)
Compliance hooks
| ESPR field | WooCommerce path |
|---|---|
espr.pid.gtin |
meta_data._global_unique_id or sku (if numeric 8–14) |
espr.pid.product_name |
name |
espr.pid.product_description |
short_description (HTML stripped, 600-char cap) |
espr.pid.color |
attributes[name=pa_color].options[] |
espr.pid.size |
attributes[name=pa_size].options[] |
tex.product.brand_category |
categories[].name |
tex.product.hero_image_url |
images[0].src |
WooCommerce doesn't carry a first-class GTIN field — most stores
record it under meta_data._global_unique_id (GS1 plugin), under
_alg_ean (EAN Manager), or simply as the SKU. The mapper checks
those candidates in order. If your store uses a different key, add
a gtin_meta_key override in the integration's Edit modal.
WooCommerce has no supplier or supply-chain model — for AGEC traceability connect Delogue or TrusTrace alongside.
Troubleshooting
- HTTP 401 on probe — key was revoked in WP-admin, or you pasted
the pair without the
:separator - HTTP 401 over HTTPS, HTTP 200 over HTTP — common WordPress quirk:
some hosts strip the
Authorizationheader on HTTPS. SetHTTP_AUTHORIZATIONrewrite in.htaccessor switch to query-string auth (?consumer_key=...&consumer_secret=...) - GTIN missing on many rows — your store doesn't expose GTIN at a
standard meta key. Configure the
gtin_meta_keyoverride or backfill the SKU field with the EAN - Variations not folded —
include_variations = N, or the parent product istype=simple(no variations exist) - HTTP 502 / Cloudflare timeout — WP host can't serve the requested
page_sizein time; lower to 50 and re-run
Open a ticket at support@dppagent.com with the integration ID + log.