The Esquina Shortcodes Plugin communicates with the YouTube Data API v3 and the Facebook Graph API on your behalf. Both integrations require credentials — an API key and a page access token — that must be kept private. This page explains how the plugin handles those credentials internally, what the secure configuration options are, and what to avoid.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Jhon-mantila/pluging-wordpress/llms.txt
Use this file to discover all available pages before exploring further.
Credential storage and priority chains
The plugin resolves both the YouTube API key and the Facebook access token through a priority chain at runtime. The highest-priority source that contains a non-empty value wins. Understanding this chain helps you choose the right storage method for your environment.YouTube API key resolution
- Admin DB option —
esquina_youtube_settings[api_key], set via EsquinaWeb → YouTube in the WordPress dashboard. This is the recommended method for most sites. wp-config.phpconstant —ESQUINA_YT_API_KEY. Preferred for environments where the database might be exported or shared, becausewp-config.phpis excluded from WordPress exports by default.- Shortcode attribute —
api_key="…"on the[youtube_largo]or[youtube_shorts]shortcode. This is the least secure option and should never be used in production.
Facebook access token resolution
- Admin DB option —
esquina_facebook_settings[access_token], set via EsquinaWeb → Facebook in the WordPress dashboard. wp-config.phpconstant —ESQUINA_FB_PAGE_ACCESS_TOKEN. Use this to keep the token out of the database entirely.- WordPress filter —
esquina_fb_access_token. Allows advanced users to resolve the token programmatically (e.g. from a secrets manager or environment variable).
Never expose credentials in shortcodes
Recommended wp-config.php configuration
For the highest level of isolation, define both credentials in wp-config.php above the /* That's all, stop editing! */ line:
wp-config.php
wp-config.php is excluded from the WordPress export tool and is never served directly by the web server (assuming a correctly configured server), credentials stored here are protected from most application-layer leaks.
AJAX nonce protection
Both AJAX endpoints the plugin exposes are protected by WordPress nonces, which prevent cross-site request forgery (CSRF) attacks.| Shortcode type | Nonce name | AJAX action |
|---|---|---|
YouTube ([youtube_largo], [youtube_shorts]) | esquina_yt_feed | esquina_yt_more |
Facebook ([facebook_posts]) | esquina_fb_feed | esquina_fb_more |
wp_create_nonce() and embedded in the page’s JavaScript configuration object. Every AJAX handler validates the nonce server-side with check_ajax_referer() before processing the request. Requests with a missing or invalid nonce are rejected immediately.
YouTube API key isolation via server-side sessions
When the YouTube feed is used in “unlimited” mode (max="all" or max=""), the plugin creates a server-side session stored as a WordPress transient. The API key, channel ID, and mode are saved in a transient keyed esquina_yt_s_{uuid}, where {uuid} is a randomly generated UUID. A companion transient — esquina_yt_seen_{uuid} — tracks the IDs of videos already delivered to that visitor, ensuring each AJAX “load more” request skips videos already shown.
The browser receives only the UUID session identifier — the API key itself is never included in the rendered HTML, in data-* attributes, or in any AJAX response. This means that even if a visitor inspects the page source or monitors network traffic, they will not see your YouTube API key.
Both the session transient (
esquina_yt_s_{uuid}) and the seen-IDs transient (esquina_yt_seen_{uuid}) expire after 1 hour. If a visitor leaves the “load more” button idle for longer than that, the next click will return a session-expired error, but no credential will ever be exposed.Facebook token isolation
The Facebook access token is resolved entirely server-side. It is used to construct the Graph API request URL on the server, and it is never included in:- The rendered HTML output of the shortcode
- The
data-configJSON attribute embedded in the page - Any AJAX response sent to the browser
API key restrictions and token scopes
In addition to the plugin’s own protections, apply the following restrictions at the provider level:- Google Cloud Console — restrict your API key to the YouTube Data API v3 only, and add an HTTP referrer restriction for your site’s domain. This ensures the key cannot be used from other domains even if it is somehow discovered.
- Facebook — use a Page Access Token with only the
pages_read_engagementpermission. Do not request broader permissions than necessary. For long-term use, consider a non-expiring System User token generated through Meta Business Suite. - Shortcode parameters — set conservative
limitandmaxvalues. Fetching more data than you display wastes quota and increases server response time.
YouTube API Setup
Step-by-step guide to obtaining and restricting a YouTube Data API v3 key.
Facebook API Setup
Step-by-step guide to generating a long-lived Facebook Page Access Token.
AJAX Loading
How the plugin’s AJAX loading works and what data is sent to the browser.
Admin Panel
Where to enter credentials in the WordPress admin dashboard.