19 lines
627 B
Markdown
19 lines
627 B
Markdown
# Authentication (summary)
|
|
|
|
## Cookie authentication (in-dashboard / same-site)
|
|
|
|
- Standard for wp-admin and theme/plugin JS.
|
|
- Requires a REST nonce (`wp_rest`) sent as `X-WP-Nonce` header or `_wpnonce` param.
|
|
- If the nonce is missing, the request is treated as unauthenticated even if cookies exist.
|
|
|
|
## Application Passwords (external clients)
|
|
|
|
- Available in WordPress 5.6+.
|
|
- Use HTTPS + Basic Auth with the application password.
|
|
- Recommended over the legacy Basic Auth plugin.
|
|
|
|
## Auth plugins
|
|
|
|
- OAuth 1.0a or JWT plugins are common for external apps.
|
|
- Use only if required; follow plugin docs and security guidance.
|