Add new doc for Application Passwords #464
Conversation
| ### Using an Application Password {#using-an-application-password} | ||
|
|
||
| Application Passwords are typically used via HTTP Basic Authentication: | ||
|
|
||
| * **Username**: the WordPress username (login). | ||
| * **Password**: the generated Application Password. | ||
|
|
||
| Because Basic Auth credentials can be intercepted on the network if unencrypted, you should use HTTPS. See: [HTTPS](https://developer.wordpress.org/advanced-administration/security/https/). | ||
|
|
||
| Example (REST API request with `curl`): | ||
|
|
||
| ``` | ||
| curl --user "USERNAME:APPLICATION_PASSWORD" https://example.com/wp-json/wp/v2/users/me | ||
| ``` |
There was a problem hiding this comment.
I'm not sure this section is accurate. I'm trying to think of how a WP user application password would interact with or be used by HTTP Basic Auth (which generally operates outside of WordPress at the server level).
There was a problem hiding this comment.
I thought this at first, but ended up digging into it. Unless the web server has a specific rule, it passes to WP which validates it in wp_validate_application_password(), which is hooked to the determine_current_user filter. https://github.com/WordPress/wordpress-develop/blob/44f1517e8f6dd72710a143420c3a0c2bae1a3766/src/wp-includes/user.php#L536
I've updated the docs to add a little more info, but did not mention how WP does this. Let me know if you think it needs more clarification.
|
@jazzsequence thanks for the review! I've updated the PR based on your feedback. Let me know what you think. |
3 participants
This is a first pass at documenting Application Passwords. Is this along the lines of what is being proposed?
Note that an LLM was used to help generate this document, specifically GPT 5.2.
Closes #368.