WP REST API and Postman - Using Application Passwords in WordPress

Definitely - it's on my list!

Thanks! Will do! I'm hoping to do a follow up on getting an application password from a site programmatically. I'm thinking the use case will be something like - can I give you a link that let's me authenticate with your site so I can programmatically create post drafts for you.

So I believe you can require permissions for ALL endpoints if you want. And then you'd just use the application key method to authenticate every request:
developer.wordpress.org/rest-api/frequently-asked-questions/#require-authentication-for-all-requests

Hmm I'd probably need to know more about your specific project setup to help solve this issue. I would make sure there's no additional security plugins or authentication on your site. Then I'd install Query Monitor and check the response headers for more information. Finally you can test using the _envelope parameter to see if you get more details in your response developer.wordpress.org/rest-api/using-the-rest-api/global-parameters/#_envelope

I'd need to know more about the situation, but this is probably the best approach to authenticating with the WP REST API, though I know there's a plugin out there for JWT which I assume would be good too developer.wordpress.org/rest-api/using-the-rest-api/authentication/
But basically this is the way to generate an API key - it just is tied to a specific user's account. As long as the user is an admin, you could be fine.
There is a way to programmatically grab the application password under the hood, which might be something worth looking into: make.wordpress.org/core/2020/11/05/application-passwords-integration-guide/

If I understand the question, I probably wouldn't do this. An application password is specifically for granting an application access to your WordPress site _as a specific admin user_. Storing application passwords for other sites in a central server is a huge security risk too - if you were hacked all of those application passwords would grant the attacker access to all of those other sites and you'd have some unhappy customers. There are plenty of good tools out there for license keys.

@@BrianCoords that absolutely makes sense. thank you. would it be possible to create a tutorial for implementing license key functionality in a FSE theme? maybe include two variants (single Install license and multi/unlimited install license). I am searching for days and couldn't find one good tutorial on this which explains the steps in simple way.

@@AshishBanerjee So that I understand correctly - you want to sell a block theme and have the theme require a license key?

Hey can you clarify your question a little bit? I'm sure if I follow

@@BrianCoords e.g. localhost/author/1 ---> localhost/1. The custom post your author has a slug author can the slug author be removed from the CPT?

@@onelook1870 Ah so /author/ is a core WordPress permalink for authors and not technically a CPT. You can change the slug. You can also remove, but sometimes removing it will cause issues, so you have to be careful.

@@BrianCoords what will happen in the case of custom post type for example there are movies which was created using pages but now I want to shift it and make a custom post type of movie? In this case can i remove the slug of movie cpt?

Can you elaborate?