From 50db88fcd140ee2d16107a38df0e1cb75ca12a8c Mon Sep 17 00:00:00 2001
From: Diede Exterkate <5352634+diedexx@users.noreply.github.com>
Date: Tue, 28 Apr 2026 14:17:18 +0200
Subject: [PATCH 1/4] docs: document MyYoast OAuth client CLI and configuration
 filters

Adds developer-portal coverage for the MyYoast OAuth client introduced
in Yoast/wordpress-seo#23130:

- features/wp-cli/auth: reference for the `wp yoast auth` namespace
  (status, register, verify, deregister, authorize, revoke,
  rotate-keys), gated behind YOAST_SEO_MYYOAST_CONNECTION.
- customization/yoast-seo/filters/myyoast-oauth-filters: covers the
  three issuer-config filters (issuer URL, software statement, initial
  access token), framed as overrides for non-production issuers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../filters/myyoast-oauth-filters.md          |  89 ++++++++++++++
 docs/features/wp-cli/auth.md                  | 109 ++++++++++++++++++
 sidebars.js                                   |   2 +
 3 files changed, 200 insertions(+)
 create mode 100644 docs/customization/yoast-seo/filters/myyoast-oauth-filters.md
 create mode 100644 docs/features/wp-cli/auth.md

diff --git a/docs/customization/yoast-seo/filters/myyoast-oauth-filters.md b/docs/customization/yoast-seo/filters/myyoast-oauth-filters.md
new file mode 100644
index 00000000..9c73d702
--- /dev/null
+++ b/docs/customization/yoast-seo/filters/myyoast-oauth-filters.md
@@ -0,0 +1,89 @@
+---
+id: myyoast-oauth-filters
+title: "Yoast SEO: MyYoast OAuth client configuration filters"
+sidebar_label: MyYoast OAuth client filters
+---
+
+The MyYoast OAuth client uses three filters to determine which authorization server to talk to and which credentials to present during [Dynamic Client Registration](https://www.rfc-editor.org/rfc/rfc7591). The defaults shipped with the plugin point at production MyYoast and are correct for live sites — these filters exist so that development and staging sites can override them.
+
+:::caution Requires the MyYoast connection feature flag
+The MyYoast OAuth client is only loaded when `YOAST_SEO_MYYOAST_CONNECTION` is defined as `true` in `wp-config.php`. With the flag off, these filters have no effect because the OAuth client never runs.
+
+The software statement and initial access token are normally signed by a MyYoast administrator. Override these filters only when pointing the client at a non-production issuer.
+:::
+
+## `Yoast\WP\SEO\myyoast_issuer_url`
+
+The base URL of the MyYoast issuer. The Yoast SEO plugin ships with the production URL as the default; override it to point at a development or staging issuer. Trailing slashes in the returned value are stripped automatically.
+
+```php
+<?php
+
+add_filter(
+    'Yoast\\WP\\SEO\\myyoast_issuer_url',
+    static function () {
+        return 'https://my.yoast.test';
+    }
+);
+```
+
+## `Yoast\WP\SEO\myyoast_software_statement`
+
+A signed [JWT software statement](https://www.rfc-editor.org/rfc/rfc7591#section-2.3) that identifies the Yoast SEO plugin during Dynamic Client Registration. The plugin ships a software statement that is valid for the production issuer; for non-production issuers, use this filter to substitute a software statement signed by that issuer's administrators.
+
+```php
+<?php
+
+add_filter(
+    'Yoast\\WP\\SEO\\myyoast_software_statement',
+    static function () {
+        return 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...';
+    }
+);
+```
+
+## `Yoast\WP\SEO\myyoast_initial_access_token`
+
+The [initial access token](https://www.rfc-editor.org/rfc/rfc7591#section-3) presented as a bearer credential during Dynamic Client Registration. Like the software statement, the plugin ships one that is valid for the production issuer; override it when registering against another issuer.
+
+```php
+<?php
+
+add_filter(
+    'Yoast\\WP\\SEO\\myyoast_initial_access_token',
+    static function () {
+        return 'iat-...';
+    }
+);
+```
+
+## Configuring all three filters together
+
+When pointing the OAuth client at a non-production issuer, all three filters are typically set together — for example in a must-use plugin or a theme's `functions.php`:
+
+```php
+<?php
+
+add_filter(
+    'Yoast\\WP\\SEO\\myyoast_issuer_url',
+    static function () {
+        return 'https://my.yoast.test';
+    }
+);
+
+add_filter(
+    'Yoast\\WP\\SEO\\myyoast_software_statement',
+    static function () {
+        return 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...';
+    }
+);
+
+add_filter(
+    'Yoast\\WP\\SEO\\myyoast_initial_access_token',
+    static function () {
+        return 'iat-...';
+    }
+);
+```
+
+After changing the issuer URL on a registered site, run [`wp yoast auth deregister`](/features/wp-cli/auth.md#deregister) followed by [`wp yoast auth register`](/features/wp-cli/auth.md#register) so that the site obtains a fresh registration against the new issuer.
diff --git a/docs/features/wp-cli/auth.md b/docs/features/wp-cli/auth.md
new file mode 100644
index 00000000..ad215723
--- /dev/null
+++ b/docs/features/wp-cli/auth.md
@@ -0,0 +1,109 @@
+---
+id: auth
+title: "Yoast SEO WP CLI: MyYoast authentication command"
+sidebar_label: MyYoast authentication
+---
+
+Yoast SEO 27.6 introduces `wp yoast auth`, a WP CLI command namespace for managing the site's MyYoast OAuth client. It covers Dynamic Client Registration, the user authorization code flow, the site-level client credentials grant, token revocation, and cryptographic key rotation.
+
+:::caution Requires the MyYoast connection feature flag
+The `wp yoast auth` command is only registered when the MyYoast connection module is enabled. To enable it, add the following to your `wp-config.php`:
+
+```php
+define( 'YOAST_SEO_MYYOAST_CONNECTION', true );
+```
+
+Without this constant, `wp yoast auth --help` will report that the command is not found.
+:::
+
+:::tip
+If you don't know what WP CLI is, you're missing out! It's a command line interface for WordPress that makes loads of tasks easier. [Read all about it on wp-cli.org](https://wp-cli.org/).
+:::
+
+All subcommands that operate in a user context honor WP CLI's global `--user=<id|login|email>` flag. Subcommands that produce structured output accept `--format=table|json` (default: `table`).
+
+## status
+
+Shows the current MyYoast OAuth client status: issuer configuration, registration state, and token status. No network calls are made.
+
+```shell script
+wp yoast auth status
+wp yoast auth status --user=admin
+wp yoast auth status --format=json
+```
+
+## register
+
+Registers the site as an OAuth client using [Dynamic Client Registration (RFC 7591)](https://www.rfc-editor.org/rfc/rfc7591). Pass `--force` to deregister an existing client first and register again.
+
+```shell script
+wp yoast auth register
+wp yoast auth register --force
+```
+
+## verify
+
+Re-reads the current client registration from the authorization server to confirm it is still valid, and prints the registration metadata. The `registration_access_token` is redacted from the output.
+
+```shell script
+wp yoast auth verify
+wp yoast auth verify --format=json
+```
+
+## deregister
+
+Deletes the client registration from the authorization server and clears all local registration data and cached tokens. Use `--local-only` to skip the server roundtrip and remove only the local data. Use `--yes` to skip the confirmation prompt.
+
+```shell script
+wp yoast auth deregister
+wp yoast auth deregister --local-only
+wp yoast auth deregister --yes
+```
+
+## authorize
+
+Authorizes the site or a specific user with MyYoast.
+
+With `--site`, performs a `client_credentials` grant for a site-level token (no browser involved):
+
+```shell script
+wp yoast auth authorize --site --scopes=service:analytics
+```
+
+Without `--site`, runs the user [authorization code flow with PKCE](https://www.rfc-editor.org/rfc/rfc7636) in two phases. First, generate the authorization URL:
+
+```shell script
+wp yoast auth authorize --user=admin --scopes=openid,profile
+```
+
+Visit the printed URL in a browser, complete authorization, and copy the `code` and `state` query parameters from the callback URL. Then exchange them for tokens:
+
+```shell script
+wp yoast auth authorize --user=admin --code=<CODE> --state=<STATE>
+```
+
+Pass `--url-only` during phase 1 to print just the URL without the surrounding instructions, which is useful for scripting.
+
+## revoke
+
+Revokes tokens for the current user, the site, or both. Combine with `--user=<user>` to target a specific user. Use `--yes` to skip the confirmation prompt.
+
+```shell script
+wp yoast auth revoke --user=admin
+wp yoast auth revoke --site
+wp yoast auth revoke --user=admin --site --yes
+```
+
+## rotate-keys
+
+Rotates cryptographic key pairs. The registration key pair (used for `private_key_jwt` client authentication) requires a server roundtrip; the [DPoP](https://www.rfc-editor.org/rfc/rfc9449) proof key pair is rotated locally. Use `--all` to rotate both. Use `--yes` to skip the confirmation prompt.
+
+```shell script
+wp yoast auth rotate-keys --registration
+wp yoast auth rotate-keys --dpop
+wp yoast auth rotate-keys --all
+```
+
+:::caution
+Rotating keys may invalidate existing tokens. Plan rotations alongside a re-authorization where appropriate.
+:::
diff --git a/sidebars.js b/sidebars.js
index f912cee0..1162ee4a 100644
--- a/sidebars.js
+++ b/sidebars.js
@@ -297,6 +297,7 @@ module.exports = {
 					label: "WP CLI",
 					items: [
 						"features/wp-cli/reindex-indexables",
+						"features/wp-cli/auth",
 					],
 				},
 				{
@@ -361,6 +362,7 @@ module.exports = {
 						"customization/yoast-seo/filtering-yoast-blocks",
 						"customization/yoast-seo/wp-get-environment-type-in-yoast-seo",
 						"customization/yoast-seo/filters/disable-opcache-reset-on-upgrade",
+						"customization/yoast-seo/filters/myyoast-oauth-filters",
 					],
 				},
 				{

From f4bd97537aa5c7b3948f18292605da35b2976dbf Mon Sep 17 00:00:00 2001
From: Diede Exterkate <5352634+diedexx@users.noreply.github.com>
Date: Tue, 28 Apr 2026 14:41:33 +0200
Subject: [PATCH 2/4] docs: rename MyYoast OAuth filters to wpseo_myyoast_*
 prefix

Upstream Yoast/wordpress-seo#23130 renamed the three issuer-config
filters from `Yoast\WP\SEO\myyoast_*` to `wpseo_myyoast_*`. Update the
documentation page and code samples to match.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../yoast-seo/filters/myyoast-oauth-filters.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/docs/customization/yoast-seo/filters/myyoast-oauth-filters.md b/docs/customization/yoast-seo/filters/myyoast-oauth-filters.md
index 9c73d702..21255979 100644
--- a/docs/customization/yoast-seo/filters/myyoast-oauth-filters.md
+++ b/docs/customization/yoast-seo/filters/myyoast-oauth-filters.md
@@ -12,7 +12,7 @@ The MyYoast OAuth client is only loaded when `YOAST_SEO_MYYOAST_CONNECTION` is d
 The software statement and initial access token are normally signed by a MyYoast administrator. Override these filters only when pointing the client at a non-production issuer.
 :::
 
-## `Yoast\WP\SEO\myyoast_issuer_url`
+## `wpseo_myyoast_issuer_url`
 
 The base URL of the MyYoast issuer. The Yoast SEO plugin ships with the production URL as the default; override it to point at a development or staging issuer. Trailing slashes in the returned value are stripped automatically.
 
@@ -20,14 +20,14 @@ The base URL of the MyYoast issuer. The Yoast SEO plugin ships with the producti
 <?php
 
 add_filter(
-    'Yoast\\WP\\SEO\\myyoast_issuer_url',
+    'wpseo_myyoast_issuer_url',
     static function () {
         return 'https://my.yoast.test';
     }
 );
 ```
 
-## `Yoast\WP\SEO\myyoast_software_statement`
+## `wpseo_myyoast_software_statement`
 
 A signed [JWT software statement](https://www.rfc-editor.org/rfc/rfc7591#section-2.3) that identifies the Yoast SEO plugin during Dynamic Client Registration. The plugin ships a software statement that is valid for the production issuer; for non-production issuers, use this filter to substitute a software statement signed by that issuer's administrators.
 
@@ -35,14 +35,14 @@ A signed [JWT software statement](https://www.rfc-editor.org/rfc/rfc7591#section
 <?php
 
 add_filter(
-    'Yoast\\WP\\SEO\\myyoast_software_statement',
+    'wpseo_myyoast_software_statement',
     static function () {
         return 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...';
     }
 );
 ```
 
-## `Yoast\WP\SEO\myyoast_initial_access_token`
+## `wpseo_myyoast_initial_access_token`
 
 The [initial access token](https://www.rfc-editor.org/rfc/rfc7591#section-3) presented as a bearer credential during Dynamic Client Registration. Like the software statement, the plugin ships one that is valid for the production issuer; override it when registering against another issuer.
 
@@ -50,7 +50,7 @@ The [initial access token](https://www.rfc-editor.org/rfc/rfc7591#section-3) pre
 <?php
 
 add_filter(
-    'Yoast\\WP\\SEO\\myyoast_initial_access_token',
+    'wpseo_myyoast_initial_access_token',
     static function () {
         return 'iat-...';
     }
@@ -65,21 +65,21 @@ When pointing the OAuth client at a non-production issuer, all three filters are
 <?php
 
 add_filter(
-    'Yoast\\WP\\SEO\\myyoast_issuer_url',
+    'wpseo_myyoast_issuer_url',
     static function () {
         return 'https://my.yoast.test';
     }
 );
 
 add_filter(
-    'Yoast\\WP\\SEO\\myyoast_software_statement',
+    'wpseo_myyoast_software_statement',
     static function () {
         return 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...';
     }
 );
 
 add_filter(
-    'Yoast\\WP\\SEO\\myyoast_initial_access_token',
+    'wpseo_myyoast_initial_access_token',
     static function () {
         return 'iat-...';
     }

From 21760666c8a0e5311ef72122e8342e52f7cb8957 Mon Sep 17 00:00:00 2001
From: Diede Exterkate <5352634+diedexx@users.noreply.github.com>
Date: Wed, 29 Apr 2026 14:17:25 +0200
Subject: [PATCH 3/4] docs: remove MyYoast OAuth client configuration filters
 page

The three filters (wpseo_myyoast_issuer_url, wpseo_myyoast_software_statement,
wpseo_myyoast_initial_access_token) are an internal escape hatch for pointing
the client at non-production issuers and require credentials only Yoast can
issue. Not appropriate for the public developer portal.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../filters/myyoast-oauth-filters.md          | 89 -------------------
 sidebars.js                                   |  1 -
 2 files changed, 90 deletions(-)
 delete mode 100644 docs/customization/yoast-seo/filters/myyoast-oauth-filters.md

diff --git a/docs/customization/yoast-seo/filters/myyoast-oauth-filters.md b/docs/customization/yoast-seo/filters/myyoast-oauth-filters.md
deleted file mode 100644
index 21255979..00000000
--- a/docs/customization/yoast-seo/filters/myyoast-oauth-filters.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-id: myyoast-oauth-filters
-title: "Yoast SEO: MyYoast OAuth client configuration filters"
-sidebar_label: MyYoast OAuth client filters
----
-
-The MyYoast OAuth client uses three filters to determine which authorization server to talk to and which credentials to present during [Dynamic Client Registration](https://www.rfc-editor.org/rfc/rfc7591). The defaults shipped with the plugin point at production MyYoast and are correct for live sites — these filters exist so that development and staging sites can override them.
-
-:::caution Requires the MyYoast connection feature flag
-The MyYoast OAuth client is only loaded when `YOAST_SEO_MYYOAST_CONNECTION` is defined as `true` in `wp-config.php`. With the flag off, these filters have no effect because the OAuth client never runs.
-
-The software statement and initial access token are normally signed by a MyYoast administrator. Override these filters only when pointing the client at a non-production issuer.
-:::
-
-## `wpseo_myyoast_issuer_url`
-
-The base URL of the MyYoast issuer. The Yoast SEO plugin ships with the production URL as the default; override it to point at a development or staging issuer. Trailing slashes in the returned value are stripped automatically.
-
-```php
-<?php
-
-add_filter(
-    'wpseo_myyoast_issuer_url',
-    static function () {
-        return 'https://my.yoast.test';
-    }
-);
-```
-
-## `wpseo_myyoast_software_statement`
-
-A signed [JWT software statement](https://www.rfc-editor.org/rfc/rfc7591#section-2.3) that identifies the Yoast SEO plugin during Dynamic Client Registration. The plugin ships a software statement that is valid for the production issuer; for non-production issuers, use this filter to substitute a software statement signed by that issuer's administrators.
-
-```php
-<?php
-
-add_filter(
-    'wpseo_myyoast_software_statement',
-    static function () {
-        return 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...';
-    }
-);
-```
-
-## `wpseo_myyoast_initial_access_token`
-
-The [initial access token](https://www.rfc-editor.org/rfc/rfc7591#section-3) presented as a bearer credential during Dynamic Client Registration. Like the software statement, the plugin ships one that is valid for the production issuer; override it when registering against another issuer.
-
-```php
-<?php
-
-add_filter(
-    'wpseo_myyoast_initial_access_token',
-    static function () {
-        return 'iat-...';
-    }
-);
-```
-
-## Configuring all three filters together
-
-When pointing the OAuth client at a non-production issuer, all three filters are typically set together — for example in a must-use plugin or a theme's `functions.php`:
-
-```php
-<?php
-
-add_filter(
-    'wpseo_myyoast_issuer_url',
-    static function () {
-        return 'https://my.yoast.test';
-    }
-);
-
-add_filter(
-    'wpseo_myyoast_software_statement',
-    static function () {
-        return 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...';
-    }
-);
-
-add_filter(
-    'wpseo_myyoast_initial_access_token',
-    static function () {
-        return 'iat-...';
-    }
-);
-```
-
-After changing the issuer URL on a registered site, run [`wp yoast auth deregister`](/features/wp-cli/auth.md#deregister) followed by [`wp yoast auth register`](/features/wp-cli/auth.md#register) so that the site obtains a fresh registration against the new issuer.
diff --git a/sidebars.js b/sidebars.js
index 1162ee4a..02f21e52 100644
--- a/sidebars.js
+++ b/sidebars.js
@@ -362,7 +362,6 @@ module.exports = {
 						"customization/yoast-seo/filtering-yoast-blocks",
 						"customization/yoast-seo/wp-get-environment-type-in-yoast-seo",
 						"customization/yoast-seo/filters/disable-opcache-reset-on-upgrade",
-						"customization/yoast-seo/filters/myyoast-oauth-filters",
 					],
 				},
 				{

From 0a85a796177b4a4ca8ea4281620b0b1fe0817e37 Mon Sep 17 00:00:00 2001
From: Diede Exterkate <5352634+diedexx@users.noreply.github.com>
Date: Mon, 11 May 2026 13:11:35 +0200
Subject: [PATCH 4/4] Update auth.md

---
 docs/features/wp-cli/auth.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/features/wp-cli/auth.md b/docs/features/wp-cli/auth.md
index ad215723..b71aebc1 100644
--- a/docs/features/wp-cli/auth.md
+++ b/docs/features/wp-cli/auth.md
@@ -4,7 +4,7 @@ title: "Yoast SEO WP CLI: MyYoast authentication command"
 sidebar_label: MyYoast authentication
 ---
 
-Yoast SEO 27.6 introduces `wp yoast auth`, a WP CLI command namespace for managing the site's MyYoast OAuth client. It covers Dynamic Client Registration, the user authorization code flow, the site-level client credentials grant, token revocation, and cryptographic key rotation.
+Yoast SEO 27.7 introduces `wp yoast auth`, a WP CLI command namespace for managing the site's MyYoast OAuth client. It covers Dynamic Client Registration, the user authorization code flow, the site-level client credentials grant, token revocation, and cryptographic key rotation.
 
 :::caution Requires the MyYoast connection feature flag
 The `wp yoast auth` command is only registered when the MyYoast connection module is enabled. To enable it, add the following to your `wp-config.php`: