REST API
Burst Statistics exposes a custom beacon endpoint and a set of WordPress REST API routes under the burst/v1 namespace. This reference documents every endpoint visible in the v3.3.0 source.
Overview
| Endpoint | Method | Auth | Permission |
|---|---|---|---|
{site}/burst-statistics/endpoint.php | POST | None | Public |
burst/v1/track | POST | None | Public |
burst/v1/menu | GET | Nonce | manage |
burst/v1/fields/get | GET | Nonce | manage |
burst/v1/fields/set | POST | Nonce | manage |
burst/v1/options/set | POST | Nonce | manage |
burst/v1/goals/get | GET | Nonce | view |
burst/v1/goals/add | POST | Nonce | manage |
burst/v1/goals/set | POST | Nonce | manage |
burst/v1/goals/delete | POST | Nonce | manage |
burst/v1/goals/add_predefined | POST | Nonce | manage |
burst/v1/data/{type} | GET | Nonce | view |
burst/v1/data/ecommerce/{type} | GET | Nonce | view_sales |
burst/v1/do_action/{action} | POST | Nonce | manage |
burst/v1/get_action/{action} | GET | Nonce | view |
burst/v1/posts/ | GET | Nonce | manage |
burst/v1/mainwp-auth | POST | RSA signature | Public* |
Permission levels:
- manage — requires
manage_burst_statisticscapability (typically administrators). - view — requires
view_burst_statisticscapability. Granted to administrators and toburst_viewerrole holders accessing a share link. - view_sales — requires
view_burst_statistics_salescapability (Pro, ecommerce data).
Tracking Endpoints
Beacon endpoint (endpoint.php)
The primary tracking endpoint. It is a standalone PHP file that bootstraps WordPress with SHORTINIT for performance, then calls Tracking::beacon_track_hit() to record a hit.
URL: {plugin_url}/burst-statistics/endpoint.php
Method: POST
Content-Type: application/x-www-form-urlencoded
Authentication: None required.
Test request
Send request=test to verify the endpoint is reachable. The endpoint returns HTTP 200 on success.
// Server-side test (mirrors what Burst does internally)
$response = wp_remote_post(
plugins_url( 'endpoint.php', BURST_FILE ),
[
'method' => 'POST',
'headers' => [ 'Content-type' => 'application/x-www-form-urlencoded' ],
'body' => [ 'request' => 'test' ],
'sslverify' => false,
]
);
CORS (cross-origin support)
By default the beacon endpoint only accepts same-origin requests. To allow hits from a different domain, define the BURST_ALLOWED_ORIGINS constant (comma-separated host names, no scheme or path) in wp-config.php:
define( 'BURST_ALLOWED_ORIGINS', 'app.example.com,cdn.example.com' );
When the constant is defined the endpoint:
- Checks
HTTP_ORIGINagainst the allowed list. - If the origin matches, it reflects
Access-Control-Allow-Origin, allows credentials, and acceptsPOSTandOPTIONSmethods. - If the origin does not match, it returns HTTP 403 and exits.
If BURST_ALLOWED_ORIGINS is defined, any origin not in the list is rejected. Leave the constant undefined to keep the default same-origin-only behaviour.
Preflight OPTIONS requests receive HTTP 204 with an Access-Control-Max-Age: 3600 header.
POST burst/v1/track
WordPress REST API fallback tracking route. Used when the standalone endpoint.php beacon is unreachable (e.g., aggressive server-side caching or rewrite rules that block direct PHP file access).
Route: burst/v1/track
Method: POST
Content-Type: application/json
Permission callback: __return_true (public, no authentication required).
Burst automatically determines whether to use the beacon or this REST route by running a connectivity test on plugin load (see Tracking status).
Test request
$response = wp_remote_post(
get_rest_url( null, 'burst/v1/track' ),
[
'headers' => [ 'Content-Type' => 'application/json; charset=utf-8' ],
'method' => 'POST',
'body' => wp_json_encode( [ 'request' => 'test' ] ),
'data_format' => 'body',
'timeout' => 5,
]
);
HTTP 200 indicates the REST route is reachable.
Tracking status
Burst\Frontend\Endpoint manages which tracking method (beacon or REST) is active. The result is stored in the burst_tracking_status option with one of three values:
| Value | Meaning |
|---|---|
beacon | endpoint.php is reachable; primary tracking method. |
rest | endpoint.php is not reachable; REST API fallback is used. |
error | Neither method is reachable; no tracking is occurring. |
The status is re-tested automatically:
- Once every 24 hours when status is
beaconorrest. - Once every 10 minutes when status is
error(to recover faster).
The re-test interval can be overridden with the burst_time_between_tests filter.
Admin REST API
All admin routes are registered under the burst/v1 namespace. Every write request (POST) must include a valid burst_nonce nonce, typically via the X-WP-Nonce header.
GET burst/v1/menu
Returns the admin menu configuration used to build the settings UI.
Permission: manage
GET burst/v1/fields/get
Returns all field definitions and the full menu configuration.
Permission: manage
POST burst/v1/fields/set
Saves multiple settings fields at once.
Permission: manage Nonce: required
POST burst/v1/options/set
Saves a single option value.
Permission: manage Nonce: required
GET burst/v1/goals/get
Returns all configured goals and the list of predefined goals.
Permission: view
POST burst/v1/goals/add
Creates a new goal.
Permission: manage Nonce: required
POST burst/v1/goals/set
Updates an existing goal.
Permission: manage Nonce: required
POST burst/v1/goals/delete
Deletes a goal.
Permission: manage Nonce: required
POST burst/v1/goals/add_predefined
Adds one of the built-in predefined goals.
Permission: manage Nonce: required
GET burst/v1/data/{type}
Returns statistics data for the requested data type.
Permission: view
Route parameter: {type} — a lowercase string matching [a-z_-]+.
{type} value | Description |
|---|---|
live-visitors | Current live visitor count. |
live-traffic | Recent live traffic data. |
today | Aggregated statistics for today. |
goals | Goal statistics for the selected period. |
live-goals | Live goal conversion counts. |
insights | Insights data for the selected period. |
compare | Comparison data between two periods. |
devicestitleandvalue | Device breakdown metrics. |
devicessubtitle | Device subtitle data. |
datatable | General datatable data for the selected period. |
GET burst/v1/data/ecommerce/{type}
Returns ecommerce statistics data. Mirrors data/{type} but sets is_ecommerce = true internally and requires the sales-specific capability.
Pro
This endpoint is only available in Burst Statistics Pro.
Changed in v3.3.0: The permission_callback for this endpoint was updated from user_can_view() to user_can_view_sales(). Previously any user with the view_burst_statistics capability could reach this endpoint; from v3.3.0 onward the view_burst_statistics_sales capability is required. Code that called this endpoint as a regular viewer role will receive HTTP 403.
Permission: view_sales
Route parameter: {type} — same values as data/{type}.
POST burst/v1/do_action/{action}
Generic write-action endpoint. The {action} parameter selects the operation to perform.
Permission: manage
Nonce: required
Route parameter: {action} — a lowercase string matching [a-z_-]+.
Built-in actions:
{action} value | Description |
|---|---|
plugin_actions | Install or activate companion plugins. |
fix_task | Apply an automated fix for a task. |
dismiss_task | Dismiss a task from the dashboard. |
Additional actions can be registered via the burst_do_action WordPress action hook (see Extending do_action and get_action).
GET burst/v1/get_action/{action}
Generic read-action endpoint.
Permission: view
Nonce: required
Route parameter: {action} — a lowercase string matching [a-z_-]+.
Built-in actions:
{action} value | Description |
|---|---|
tasks | Returns the list of plugin tasks. |
tracking | Returns tracking status and last-test timestamp. |
get_article_data | Returns per-article statistics data. |
get_filter_options | Returns available filter values (devices, browsers, countries, etc.). |
otherpluginsdata | Returns data from integrated third-party plugins. |
Additional actions can be registered via the burst_get_action WordPress action hook (see Extending do_action and get_action).
GET burst/v1/posts/
Searches WordPress posts for use in goal or filter selectors.
Permission: manage
Query parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
search_input | string | No | Search term. Sanitised with sanitize_title. |
POST burst/v1/mainwp-auth
Pro
This endpoint is only available in Burst Statistics Pro when the MainWP integration is active.
Issues an Application Password token for the MainWP dashboard to authenticate subsequent REST API calls. Although the permission callback is public (__return_true), authentication is enforced via RSA signature verification: the request body must be signed with the private key that corresponds to the public key stored in the mainwp_child_pubkey option.
Method: POST
Permission callback: __return_true (authentication via RSA signature, not WordPress nonce).
On success, returns:
| Field | Type | Description |
|---|---|---|
token | string | Base64-encoded Application Password token. |
root_url | string | WordPress REST API root URL. |
localization_data | object | Dashboard localisation strings and settings. |
CORS: When the MainWP integration is active, permissive CORS headers are added to all burst/v1 routes. The Origin header is reflected, credentials are allowed, and the Authorization, X-WP-Nonce, X-Burst-Share-Token, and X-BurstMainWP request headers are permitted.
Share Links (Pro)
Pro
The share link system is only available in Burst Statistics Pro.
Share links allow a read-only, password-free view of the Burst dashboard to be shared externally. They work through a rewritten URL (/burst-dashboard/?burst_share_token={token}), which logs in a system user (burst_statistics_viewer) with the burst_viewer role for the duration of the session.
Share link operations are surfaced through the generic do_action and get_action REST routes described above.
do_action/get_share_token
Creates (or renews) a share token. Requires manage permission.
Body parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
expiration | string | 7d | Token lifetime: never, 24h, 7d, or 30d. |
view_url | string | '' | The dashboard URL the share link should open (hash fragment is preserved). |
permissions | object | {} | Permission flags — filtered via burst_share_permissions. |
shared_tabs | array | [] | Tab IDs to expose: dashboard, statistics, sources, sales, subscriptions. |
initial_state | object | {} | Pre-selected state: date_range.start, date_range.end, filters (key/value pairs). |
report_id | int | 0 | Attach the token to a specific report (reuses existing token for the same report ID). |
Response:
{
"share_token": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4",
"share_url": "https://example.com/burst-dashboard/?burst_share_token=a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4"
}
do_action/revoke_share_link
Permanently deletes a share token. Requires manage permission.
Body parameters:
| Parameter | Type | Description |
|---|---|---|
token | string | The 32-character hex token to revoke. |
Response:
{
"success": true,
"share_links": []
}
get_action/get_share_links
Returns all active (non-expired) share links and the list of shareable dashboard tabs. Requires view permission.
Response:
{
"share_links": [
{
"token": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4",
"url": "https://example.com/burst-dashboard/?burst_share_token=a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4",
"expires": 1712000000,
"created": 1711913600,
"report_id": 0,
"permissions": { "can_change_date": false, "can_filter": false },
"shared_tabs": ["dashboard", "statistics"],
"initial_state": { "date_range": { "start": "", "end": "" }, "filters": {} }
}
],
"shareable_tabs": [
{ "id": "dashboard", "title": "Dashboard" },
{ "id": "statistics", "title": "Statistics" }
]
}
Report share links
When a share token is created with a non-zero report_id, the corresponding Report::to_array() response is scoped to only the fields safe for external viewers. Scheduling and recipient metadata are withheld.
Full field set (authenticated admin request):
| Field | Type | Description |
|---|---|---|
id | int | Report ID. |
name | string | Report name. |
format | string | Report format identifier. |
enabled | bool | Whether the report is active. |
content | array | Report content blocks. |
reportDateRange | string | Date range for the report. |
fixedEndDate | string | Fixed end date if set. |
frequency | string | Sending frequency. |
weekOfMonth | string | Week-of-month setting. |
dayOfWeek | string | Day-of-week setting. |
sendTime | string | Scheduled send time. |
lastEdit | int | Timestamp of last edit. |
scheduled | bool | Whether the report is scheduled for automatic sending. |
recipients | array | Recipient e-mail addresses. |
lastSendStatus | string | Status of the last send attempt (see below). |
lastSendMessage | string | Human-readable message for the last send status. |
Reduced field set (shared link request — is_shared_link = true):
The following fields are omitted and replaced with their default/empty values: frequency, weekOfMonth, dayOfWeek, sendTime, lastEdit, scheduled, recipients, lastSendStatus, lastSendMessage.
If the report is disabled (enabled = false), to_array() returns an empty array [] for shared link requests; the report is not exposed.
lastSendStatus values:
Changed in v3.3.0: The ready_to_send status value was renamed to ready_to_share.
| Value | Description |
|---|---|
ready_to_share | Report is not scheduled; ready to be shared via link. Changed in v3.3.0 from ready_to_send. |
sent | Report was successfully sent. |
failed | Last send attempt failed. |
Share::get_share_links() PHP API
Changed in v3.3.0: get_share_links() changed from a static method to an instance method and gained a required $type parameter as its first argument.
// Before v3.3.0 (static call, no $type parameter)
$links = Share::get_share_links( $token, $report_id );
// v3.3.0 and later (instance call, $type required)
$share = new \Burst\Admin\Share\Share();
$links = $share->get_share_links( 'link' ); // only dashboard share links
$links = $share->get_share_links( 'report', '', 42 ); // links for report ID 42
$links = $share->get_share_links( 'all' ); // all tokens
Parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
$type | string | 'all' | Filter type: 'all' returns every token; 'link' returns only dashboard share links (report_id === 0); 'report' returns only report tokens (report_id !== 0). When $type is 'report' and $report_id > 0, a token is auto-generated for the report if none exists. |
$token | string | '' | Optional: filter by a specific token value. |
$report_id | int | 0 | Optional: filter by report ID. |
Share link authentication
Viewers send the token in the X-Burst-Share-Token HTTP header on every REST request. The burst_verify_nonce filter intercepts nonce verification and treats a valid token as equivalent to a valid nonce for users with the burst_viewer role.
Token format: 32-character lowercase hexadecimal (bin2hex( random_bytes( 16 ) )). Any value not matching /^[a-f0-9]{32}$/ is rejected.
Extending do_action and get_action
burst_do_action
Fires inside POST burst/v1/do_action/{action}. Use it to handle custom write operations.
Parameters:
| Parameter | Type | Description |
|---|---|---|
$output | array | Current response array. Modify and return it. |
$action | string | The {action} segment from the route. |
$data | array|null | Decoded JSON body of the request. |
Example:
add_action( 'burst_do_action', function( array $output, string $action, ?array $data ): array {
if ( $action === 'my_custom_action' ) {
// perform write operation
$output = [ 'success' => true, 'message' => 'Done.' ];
}
return $output;
}, 10, 3 );
burst_get_action
Fires inside GET burst/v1/get_action/{action}. Use it to handle custom read operations.
Parameters:
| Parameter | Type | Description |
|---|---|---|
$output | array | Current response array. Modify and return it. |
$action | string | The {action} segment from the route. |
Example:
add_action( 'burst_get_action', function( array $output, string $action ): array {
if ( $action === 'my_custom_data' ) {
$output = [ 'items' => get_my_custom_data() ];
}
return $output;
}, 10, 2 );
Filters Reference
burst_time_between_tests
Controls how frequently Burst re-tests whether the beacon or REST tracking endpoint is reachable.
Parameters:
| Parameter | Type | Description |
|---|---|---|
$time_between_tests | int | Seconds between connectivity tests. Default: DAY_IN_SECONDS (86400) when tracking is working; 10 * MINUTE_IN_SECONDS (600) when status is error. |
Example:
add_filter( 'burst_time_between_tests', function( int $time_between_tests ): int {
// Re-test every 6 hours regardless of status.
return 6 * HOUR_IN_SECONDS;
} );
burst_share_permissions
Filters the permissions array applied to a share token before it is stored or returned.
Pro
This filter is only relevant in Burst Statistics Pro.
Parameters:
| Parameter | Type | Description |
|---|---|---|
$defaults | array | Default permissions: [ 'can_change_date' => false, 'can_filter' => false ]. |
$raw_permissions | array | Raw permissions as received from the REST request body. |
Example:
add_filter( 'burst_share_permissions', function( array $defaults, array $raw_permissions ): array {
// Merge raw permissions into defaults, keeping only known keys.
return array_merge( $defaults, array_intersect_key( $raw_permissions, $defaults ) );
}, 10, 2 );
burst_verify_nonce
Allows third-party code to override nonce verification for REST requests. Used internally by the share link system to accept X-Burst-Share-Token in place of a WordPress nonce for burst_viewer users.
Parameters:
| Parameter | Type | Description |
|---|---|---|
$nonce_is_valid | bool | Whether the nonce passed standard WordPress verification. |
$nonce | string|null | The nonce value from the request. |
$action | string | The nonce action string (e.g. burst_nonce). |
Example:
add_filter( 'burst_verify_nonce', function( bool $nonce_is_valid, ?string $nonce, string $action ): bool {
if ( $action === 'burst_nonce' && my_verify_custom_token() ) {
return true;
}
return $nonce_is_valid;
}, 10, 3 );
burst_share_link_permissions
Returns the resolved permission set for the currently active share link, keyed from the burst_share_token query parameter in the current request.
Pro
This filter is only relevant in Burst Statistics Pro.
Parameters:
| Parameter | Type | Description |
|---|---|---|
$permissions | array | Current permissions array (empty by default when no valid token is present). |
When a valid token is present the array contains:
| Key | Type | Description |
|---|---|---|
can_change_date | bool | Whether the viewer may change the date range. |
can_filter | bool | Whether the viewer may apply filters. |
is_shareable_link_viewer | bool | Whether the current user holds the burst_viewer role. |
Example:
add_filter( 'burst_share_link_permissions', function( array $permissions ): array {
// Always allow date changes for share link viewers.
if ( ! empty( $permissions['is_shareable_link_viewer'] ) ) {
$permissions['can_change_date'] = true;
}
return $permissions;
} );
burst_menu (share link context)
The standard burst_menu filter is applied a second time during share link sessions to strip menu items the token does not grant access to. Only items with 'shareable' => true whose id appears in the token's shared_tabs list are kept.
See the Hooks & Filters reference for the full burst_menu documentation.