Settings API – Custom Capability

The settings API itself does not enforce any particular capability, the requirement is inherited from the screen that is displaying the settings. As it happens, all of the default settings screens require manage_options. For your settings to be managed automatically, they have to go through options.php and be saved in the options table. Since options.php requires manage_options, so does the API by inheritance.

If you created a plugin settings screen that required “my_cool_plugin” custom capability, then adding settings through the API will also require that capability, not manage_options. Whether you use the API or not on your own settings screen, the capability is initially managed when you add your screen to the admin menu. The capability must be checked again when the settings are submitted for saving.

With your own screen, not handled through options.php, you would lose all the handy automatic handling of your registered settings, so there is little reason to use the API, though it’s possible as long as you manage what is normally done for you automatically.

The short answer is make your own settings screen and forget about the API. Be sure you still go through the proper security steps. Validate and sanitize all input, verify the nonce you should have initially assigned to a hidden field, and confirm the user has proper capability that matches that used when adding the screen to the admin menu.