Say you want to make authenticated requests to the WordPress APIs using the application passwords. Don't assume you know the URL that sends users down the authorization flow.
Most of the time, the URL to start the authorization flow is the domain followed by
/wp-admin/authorize-application.php. But then there are the cases when it's not.
Don't know what the application password is? It's used instead of your username and password to authenticate you. It's a unique password per application that you can revoke anytime. Once, it was a feature plugin, now merged into core.
One way to obtain an application password is to generate it under your WordPress user profile. Then you provide the password to the application manually, aka copy-paste into an input because it's too long to type it out.
Another way is to let the application redirect you to the proper location and then redirect you back once you do what you had to, aka the authorization flow way.
This article is about the latter.
So what's the best way to determine it?
Check if the
authentication key is available in the REST API response. If it is, you should see something like this:
Keep in mind that while the REST API is by default under
/wp-json/, this is again something that can be changed.
The safest way if you make a request to
This works because the
rest_route query parameter is mapped using the rewrite functionality to the correct REST API path.