=== DecaRoy Site Helper ===
Contributors: decaraoy
Tags: rest-api, meta tag, google site verification, automation
Requires at least: 5.5
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Tiny REST API endpoint to manage custom &lt;head&gt; meta tags (e.g. Google Site Verification) programmatically.

== Description ==

DecaRoy Site Helper is a minimal plugin that adds a single REST API
endpoint to read, write, and delete a Google Site Verification meta tag
that is then injected into the document &lt;head&gt; on every page.

The plugin is intended for sites managed programmatically by automation
tools that need to verify domain ownership in Google Search Console
without giving the automation tool FTP or filesystem access.

= Features =

* Single REST endpoint at `/wp-json/decaroy/v1/head-meta`
* GET — read current configuration
* POST — set the Google Site Verification token (validated against
  Google's expected format)
* DELETE — remove the configured token
* Token is rendered as `&lt;meta name="google-site-verification" ...&gt;`
  in the &lt;head&gt; via `wp_head` action
* No tracking, no phone-home, no remote calls
* No database tables, no cron jobs

= How it works =

When a token is set via POST, it is stored in a single WordPress option
(`decaroy_gsc_verification_token`). On every page render, the plugin
hooks into `wp_head` and emits a meta tag with the token. Google can
then read that meta tag during the verification step, after which the
domain becomes available to the verifying account in Search Console.

Authentication uses standard WordPress capabilities: the requesting
user must have `manage_options` (typically administrators). Pair with
WordPress Application Passwords for headless authentication.

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/` or install
   directly through the WordPress plugins screen.
2. Activate the plugin through the **Plugins** screen in WordPress.
3. Use the REST endpoint to set a token:

   `POST /wp-json/decaroy/v1/head-meta`
   `Content-Type: application/json`
   `Body: {"gsc_verification_token": "abcd...your-token..."}`

== Frequently Asked Questions ==

= Does this plugin track my visitors? =

No. The plugin makes no remote calls and stores no data beyond the
single Google Site Verification token in WordPress options.

= Is the meta tag visible to anyone? =

Yes. By design, Google Site Verification meta tags are visible in the
HTML source — that is how Google verifies them. The token itself is
not sensitive: knowing it does not grant any access.

= What capability does the REST endpoint require? =

`manage_options`. Only administrators can read or write the token.

= Can I use this with other meta tags besides Google Site Verification? =

Currently the plugin handles only the `google-site-verification` meta
tag. Future versions may add support for additional meta tags.

== Changelog ==

= 1.0.2 =
* Corrected Contributors username in readme to match the actual
  WordPress.org account that owns this plugin. No code changes.

= 1.0.1 =
* Removed Plugin URI (the plugin does not have a dedicated landing page).
  Author URI points to the author's site.

= 1.0.0 =
* Initial release.
* REST endpoint to manage Google Site Verification meta tag.
* `wp_head` injection of the configured tag.

== Upgrade Notice ==

= 1.0.2 =
Documentation fix (Contributors username). No code changes.

= 1.0.1 =
Removed unused Plugin URI. No code changes.

= 1.0.0 =
First public release.
