- Create a password protected package containing one or more files.
- Navigate to the download page of the package (e.g. `/download/package1`)
- Inspect the "Download" button beside one of the packaged files. The HTML should look like this:

      class="inddl btn btn-primary btn-sm"
      <i class="fa fa-download"></i>

- Note the `wpdmdl` and `ind` URL parameters for later.
- Send a POST request to `/wp-json/wpdm/validate-filepass`:

    fetch("/wp-json/wpdm/validate-filepass", {
      "headers": {
        "accept": "*/*",
        "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
      "body": "",
      "method": "POST",
      "credentials": "include"
    }).then(response => response.text()).then(text => console.log(text));

- The response will look like the following:


- Construct a download URL as follows, using the above `_wpdmkey` parameter, as well as the `wpdmdl` and `ind` parameters from above:

- See that the file may be download from that URL, without any knowledge of its password.