REST API
Resolve a URI to a post, SEO, and site block in one call
GET|POST /gallop/v1/post takes a uri and resolves it straight to a post, returning post, seo, and site payloads in a single response. POST /gallop/v1/category does the same for taxonomy archives. Your front-end code stays simple: one fetch, one response, ready to render. No chaining /wp/v2/posts, /wp/v2/media, and taxonomy calls per page.
With Yoast SEO active, the seo block is populated from Yoast’s indexables: canonical, meta description, OpenGraph, robots flags, reading time. Without Yoast, seo is returned as an empty object so clients can branch safely.
Auth
Cookie-based login for a Next.js front end
POST /gallop/v1/auth/login calls WordPress’s built-in wp_signon() and sets the standard auth cookies, so a Next.js front end on the same registered domain can make authenticated requests with credentials included. GET /gallop/v1/auth/session reports whether a visitor is logged in, and POST /gallop/v1/auth/logout ends the session. No JWT layer. Cookie auth is intentional.
Brute-force protection is built in: five failed attempts per username + client IP within fifteen minutes return HTTP 429 until the window expires, and successful logins clear the counter. Action hooks (gallop_auth_login_success, gallop_auth_login_failed, gallop_auth_logout) let you wire in logging or notifications.
Admin
Settings and custom post types, configured from WordPress
Point Gallop at your Next.js production URL and it 301-redirects public WordPress front-end requests to the matching path on your headless host. Admin, REST API, and previews are left untouched. The same screen exposes the Trust proxy IP headers toggle for sites behind Cloudflare or a load balancer.
Register REST-enabled custom post types from the Post Types tab and they’re immediately available through the Gallop namespace. No register_post_type() boilerplate, no developer round trip. Core post types are left alone, and content you create survives a deactivate/uninstall.