627 B
627 B
Authentication (summary)
Cookie authentication (in-dashboard / same-site)
- Standard for wp-admin and theme/plugin JS.
- Requires a REST nonce (
wp_rest) sent asX-WP-Nonceheader or_wpnonceparam. - If the nonce is missing, the request is treated as unauthenticated even if cookies exist.
Application Passwords (external clients)
- Available in WordPress 5.6+.
- Use HTTPS + Basic Auth with the application password.
- Recommended over the legacy Basic Auth plugin.
Auth plugins
- OAuth 1.0a or JWT plugins are common for external apps.
- Use only if required; follow plugin docs and security guidance.