Great intro Brian! - You should def write/do more videos on this topic because I also noticed very little content on app passwords. - we need more use cases!
Thanks! Will do! I'm hoping to do a follow up on getting an application password from a site programmatically. I'm thinking the use case will be something like - can I give you a link that let's me authenticate with your site so I can programmatically create post drafts for you.
How can we use this for checking theme license? Suppose i created a theme to sell, user bought from woocomerce website and then installs the theme in their website. Can we send them application password as theme license, if yes then how can we check of the license is valid if someone else copies the license and tries to install the theme
If I understand the question, I probably wouldn't do this. An application password is specifically for granting an application access to your WordPress site _as a specific admin user_. Storing application passwords for other sites in a central server is a huge security risk too - if you were hacked all of those application passwords would grant the attacker access to all of those other sites and you'd have some unhappy customers. There are plenty of good tools out there for license keys.
@@BrianCoords that absolutely makes sense. thank you. would it be possible to create a tutorial for implementing license key functionality in a FSE theme? maybe include two variants (single Install license and multi/unlimited install license). I am searching for days and couldn't find one good tutorial on this which explains the steps in simple way.
Thanks for this. It did help. After setting up an application password and adding the auth credentials to postman I was still getting a rest_forbidden response. The site I am working on has wordfence installed and it turns out that wordfence disables application passwords by default. After changing the wordfence setting it worked fine.
@@onelook1870 Ah so /author/ is a core WordPress permalink for authors and not technically a CPT. You can change the slug. You can also remove, but sometimes removing it will cause issues, so you have to be careful.
@@BrianCoords what will happen in the case of custom post type for example there are movies which was created using pages but now I want to shift it and make a custom post type of movie? In this case can i remove the slug of movie cpt?
Thanks for the video! I was wondering, can you show maybe how to block the public api totally and then reach it via api key? So basically I am looking for a way to implement it as Machine-to-machine technique, reaching the api only from my server (node.js)...
So I believe you can require permissions for ALL endpoints if you want. And then you'd just use the application key method to authenticate every request: developer.wordpress.org/rest-api/frequently-asked-questions/#require-authentication-for-all-requests
If I am building custom rest api endpoints for 3rd party service to call it, would you recommend application password for authentication? I believe we have other forms of auth like cookie based auth, oAuth, etc. What about using api key ? i cannot find any documentation on how to generate api key for auth purpose, can you make a video about it?
I'd need to know more about the situation, but this is probably the best approach to authenticating with the WP REST API, though I know there's a plugin out there for JWT which I assume would be good too developer.wordpress.org/rest-api/using-the-rest-api/authentication/ But basically this is the way to generate an API key - it just is tied to a specific user's account. As long as the user is an admin, you could be fine. There is a way to programmatically grab the application password under the hood, which might be something worth looking into: make.wordpress.org/core/2020/11/05/application-passwords-integration-guide/
Hi Brian, thanks so much for the tutorial! I followed it step by step, but I am still receiving an error for INVALID_PASSWORD. I have tried an application password, as well as my regular password. I even created a new user, and reset the passwords for both users. I've tried from a custom code configuration as well as in postman. Do you have any idea why I am still encountering this error? Thanks!
Hmm I'd probably need to know more about your specific project setup to help solve this issue. I would make sure there's no additional security plugins or authentication on your site. Then I'd install Query Monitor and check the response headers for more information. Finally you can test using the _envelope parameter to see if you get more details in your response developer.wordpress.org/rest-api/using-the-rest-api/global-parameters/#_envelope
Yeah I would strip it all down and first test with postman - if that's not working either some value is entered incorrectly OR maybe you have some sort of security plugin that is interfering with the API endpoints.
Great intro Brian! - You should def write/do more videos on this topic because I also noticed very little content on app passwords. - we need more use cases!
Thanks! Will do! I'm hoping to do a follow up on getting an application password from a site programmatically. I'm thinking the use case will be something like - can I give you a link that let's me authenticate with your site so I can programmatically create post drafts for you.
you are the bestttt . thank you!!!!!!!
How can we use this for checking theme license? Suppose i created a theme to sell, user bought from woocomerce website and then installs the theme in their website. Can we send them application password as theme license, if yes then how can we check of the license is valid if someone else copies the license and tries to install the theme
If I understand the question, I probably wouldn't do this. An application password is specifically for granting an application access to your WordPress site _as a specific admin user_. Storing application passwords for other sites in a central server is a huge security risk too - if you were hacked all of those application passwords would grant the attacker access to all of those other sites and you'd have some unhappy customers. There are plenty of good tools out there for license keys.
@@BrianCoords that absolutely makes sense. thank you. would it be possible to create a tutorial for implementing license key functionality in a FSE theme? maybe include two variants (single Install license and multi/unlimited install license). I am searching for days and couldn't find one good tutorial on this which explains the steps in simple way.
@@AshishBanerjee So that I understand correctly - you want to sell a block theme and have the theme require a license key?
Thanks for this. It did help. After setting up an application password and adding the auth credentials to postman I was still getting a rest_forbidden response. The site I am working on has wordfence installed and it turns out that wordfence disables application passwords by default. After changing the wordfence setting it worked fine.
Good to know!
Just wanted to know if the slug of custom part your can be removed or not
Hey can you clarify your question a little bit? I'm sure if I follow
@@BrianCoords e.g. localhost/author/1 ---> localhost/1. The custom post your author has a slug author can the slug author be removed from the CPT?
@@onelook1870 Ah so /author/ is a core WordPress permalink for authors and not technically a CPT. You can change the slug. You can also remove, but sometimes removing it will cause issues, so you have to be careful.
@@BrianCoords what will happen in the case of custom post type for example there are movies which was created using pages but now I want to shift it and make a custom post type of movie? In this case can i remove the slug of movie cpt?
Thanks for the video! I was wondering, can you show maybe how to block the public api totally and then reach it via api key? So basically I am looking for a way to implement it as Machine-to-machine technique, reaching the api only from my server (node.js)...
So I believe you can require permissions for ALL endpoints if you want. And then you'd just use the application key method to authenticate every request:
developer.wordpress.org/rest-api/frequently-asked-questions/#require-authentication-for-all-requests
If I am building custom rest api endpoints for 3rd party service to call it, would you recommend application password for authentication? I believe we have other forms of auth like cookie based auth, oAuth, etc. What about using api key ?
i cannot find any documentation on how to generate api key for auth purpose, can you make a video about it?
I'd need to know more about the situation, but this is probably the best approach to authenticating with the WP REST API, though I know there's a plugin out there for JWT which I assume would be good too developer.wordpress.org/rest-api/using-the-rest-api/authentication/
But basically this is the way to generate an API key - it just is tied to a specific user's account. As long as the user is an admin, you could be fine.
There is a way to programmatically grab the application password under the hood, which might be something worth looking into: make.wordpress.org/core/2020/11/05/application-passwords-integration-guide/
Would love to see a details video about the access sharing you showed at the end
Definitely - it's on my list!
Hi Brian, thanks so much for the tutorial! I followed it step by step, but I am still receiving an error for INVALID_PASSWORD. I have tried an application password, as well as my regular password. I even created a new user, and reset the passwords for both users. I've tried from a custom code configuration as well as in postman. Do you have any idea why I am still encountering this error? Thanks!
Hmm I'd probably need to know more about your specific project setup to help solve this issue. I would make sure there's no additional security plugins or authentication on your site. Then I'd install Query Monitor and check the response headers for more information. Finally you can test using the _envelope parameter to see if you get more details in your response developer.wordpress.org/rest-api/using-the-rest-api/global-parameters/#_envelope
Still getting 401... But a third party using one of my application passwords work... Must be some form of plugin issue I imagine?
Yeah I would strip it all down and first test with postman - if that's not working either some value is entered incorrectly OR maybe you have some sort of security plugin that is interfering with the API endpoints.
not working at all
Can you elaborate?