Great intro Brian! - You should def write/do more videos on this topic because I also noticed very little content on app passwords. - we need more use cases!
Thanks! Will do! I'm hoping to do a follow up on getting an application password from a site programmatically. I'm thinking the use case will be something like - can I give you a link that let's me authenticate with your site so I can programmatically create post drafts for you.
Thanks for the video! I was wondering, can you show maybe how to block the public api totally and then reach it via api key? So basically I am looking for a way to implement it as Machine-to-machine technique, reaching the api only from my server (node.js)...
So I believe you can require permissions for ALL endpoints if you want. And then you'd just use the application key method to authenticate every request: developer.wordpress.org/rest-api/frequently-asked-questions/#require-authentication-for-all-requests
Hi Brian, thanks so much for the tutorial! I followed it step by step, but I am still receiving an error for INVALID_PASSWORD. I have tried an application password, as well as my regular password. I even created a new user, and reset the passwords for both users. I've tried from a custom code configuration as well as in postman. Do you have any idea why I am still encountering this error? Thanks!
Hmm I'd probably need to know more about your specific project setup to help solve this issue. I would make sure there's no additional security plugins or authentication on your site. Then I'd install Query Monitor and check the response headers for more information. Finally you can test using the _envelope parameter to see if you get more details in your response developer.wordpress.org/rest-api/using-the-rest-api/global-parameters/#_envelope
How can we use this for checking theme license? Suppose i created a theme to sell, user bought from woocomerce website and then installs the theme in their website. Can we send them application password as theme license, if yes then how can we check of the license is valid if someone else copies the license and tries to install the theme
If I understand the question, I probably wouldn't do this. An application password is specifically for granting an application access to your WordPress site _as a specific admin user_. Storing application passwords for other sites in a central server is a huge security risk too - if you were hacked all of those application passwords would grant the attacker access to all of those other sites and you'd have some unhappy customers. There are plenty of good tools out there for license keys.
@@BrianCoords that absolutely makes sense. thank you. would it be possible to create a tutorial for implementing license key functionality in a FSE theme? maybe include two variants (single Install license and multi/unlimited install license). I am searching for days and couldn't find one good tutorial on this which explains the steps in simple way.
If I am building custom rest api endpoints for 3rd party service to call it, would you recommend application password for authentication? I believe we have other forms of auth like cookie based auth, oAuth, etc. What about using api key ? i cannot find any documentation on how to generate api key for auth purpose, can you make a video about it?
I'd need to know more about the situation, but this is probably the best approach to authenticating with the WP REST API, though I know there's a plugin out there for JWT which I assume would be good too developer.wordpress.org/rest-api/using-the-rest-api/authentication/ But basically this is the way to generate an API key - it just is tied to a specific user's account. As long as the user is an admin, you could be fine. There is a way to programmatically grab the application password under the hood, which might be something worth looking into: make.wordpress.org/core/2020/11/05/application-passwords-integration-guide/
@@onelook1870 Ah so /author/ is a core WordPress permalink for authors and not technically a CPT. You can change the slug. You can also remove, but sometimes removing it will cause issues, so you have to be careful.
@@BrianCoords what will happen in the case of custom post type for example there are movies which was created using pages but now I want to shift it and make a custom post type of movie? In this case can i remove the slug of movie cpt?
Great intro Brian! - You should def write/do more videos on this topic because I also noticed very little content on app passwords. - we need more use cases!
Thanks! Will do! I'm hoping to do a follow up on getting an application password from a site programmatically. I'm thinking the use case will be something like - can I give you a link that let's me authenticate with your site so I can programmatically create post drafts for you.
you are the bestttt . thank you!!!!!!!
Thanks for the video! I was wondering, can you show maybe how to block the public api totally and then reach it via api key? So basically I am looking for a way to implement it as Machine-to-machine technique, reaching the api only from my server (node.js)...
So I believe you can require permissions for ALL endpoints if you want. And then you'd just use the application key method to authenticate every request:
developer.wordpress.org/rest-api/frequently-asked-questions/#require-authentication-for-all-requests
Would love to see a details video about the access sharing you showed at the end
Definitely - it's on my list!
Hi Brian, thanks so much for the tutorial! I followed it step by step, but I am still receiving an error for INVALID_PASSWORD. I have tried an application password, as well as my regular password. I even created a new user, and reset the passwords for both users. I've tried from a custom code configuration as well as in postman. Do you have any idea why I am still encountering this error? Thanks!
Hmm I'd probably need to know more about your specific project setup to help solve this issue. I would make sure there's no additional security plugins or authentication on your site. Then I'd install Query Monitor and check the response headers for more information. Finally you can test using the _envelope parameter to see if you get more details in your response developer.wordpress.org/rest-api/using-the-rest-api/global-parameters/#_envelope
How can we use this for checking theme license? Suppose i created a theme to sell, user bought from woocomerce website and then installs the theme in their website. Can we send them application password as theme license, if yes then how can we check of the license is valid if someone else copies the license and tries to install the theme
If I understand the question, I probably wouldn't do this. An application password is specifically for granting an application access to your WordPress site _as a specific admin user_. Storing application passwords for other sites in a central server is a huge security risk too - if you were hacked all of those application passwords would grant the attacker access to all of those other sites and you'd have some unhappy customers. There are plenty of good tools out there for license keys.
@@BrianCoords that absolutely makes sense. thank you. would it be possible to create a tutorial for implementing license key functionality in a FSE theme? maybe include two variants (single Install license and multi/unlimited install license). I am searching for days and couldn't find one good tutorial on this which explains the steps in simple way.
@@AshishBanerjee So that I understand correctly - you want to sell a block theme and have the theme require a license key?
If I am building custom rest api endpoints for 3rd party service to call it, would you recommend application password for authentication? I believe we have other forms of auth like cookie based auth, oAuth, etc. What about using api key ?
i cannot find any documentation on how to generate api key for auth purpose, can you make a video about it?
I'd need to know more about the situation, but this is probably the best approach to authenticating with the WP REST API, though I know there's a plugin out there for JWT which I assume would be good too developer.wordpress.org/rest-api/using-the-rest-api/authentication/
But basically this is the way to generate an API key - it just is tied to a specific user's account. As long as the user is an admin, you could be fine.
There is a way to programmatically grab the application password under the hood, which might be something worth looking into: make.wordpress.org/core/2020/11/05/application-passwords-integration-guide/
Just wanted to know if the slug of custom part your can be removed or not
Hey can you clarify your question a little bit? I'm sure if I follow
@@BrianCoords e.g. localhost/author/1 ---> localhost/1. The custom post your author has a slug author can the slug author be removed from the CPT?
@@onelook1870 Ah so /author/ is a core WordPress permalink for authors and not technically a CPT. You can change the slug. You can also remove, but sometimes removing it will cause issues, so you have to be careful.
@@BrianCoords what will happen in the case of custom post type for example there are movies which was created using pages but now I want to shift it and make a custom post type of movie? In this case can i remove the slug of movie cpt?
not working at all
Can you elaborate?