Application Passwords

Since WP version 5.6, routes have been introduced that allow you to get/create/update/delete application passwords for a specific user.

Possible routes (the endpoints are described below):

/wp/v2/users/{ID}/application-passwords         // works with the specified user
/wp/v2/users/me/application-passwords           // works with the current user

/wp/v2/users/{ID}/application-passwords/introspect

/wp/v2/users/{ID}/application-passwords/uuid
/wp/v2/users/me/application-passwords/uuid

Schema

The schema shows all fields that exist for the object: the fields of the object that the request will return.

Parameter Context Description
uuid
String readonly
view, edit, embed Unique identifier for the application password.
app_id
String
view, edit, embed UUID provided by the application for unique identification. It is recommended to use UUID v5 with a URL or DNS namespace.
name
String required
view, edit, embed The name of the application password.
password
String readonly
edit The created password. Available after adding the application.
created
String readonly
view, edit The date and time (GMT) the application password was created.
last_used
String/null readonly
view, edit The date and time (GMT) of the last use of the application password.
last_ip
String/null readonly
view, edit The IP address from which the application password was last used.

/wp/v2/users/{ID}/application-passwords/wp/v2/users/me/application-passwords

An OPTIONS request to the route will return a full description of this route.

OPTIONS http://demo.wp-api.org/wp-json/wp/v2/users/{ID}/application-passwords
GitHub
{
    "namespace": "wp/v2",
    "methods": [
        "GET",
        "POST",
        "DELETE"
    ],
    "endpoints": [
        {
            "methods": [
                "GET"
            ],
            "args": {
                "context": {
                    "description": "Рамки в которых сделан запрос, определяют поля в ответе.",
                    "type": "string",
                    "enum": [
                        "view",
                        "embed",
                        "edit"
                    ],
                    "default": "view",
                    "required": false
                }
            }
        },
        {
            "methods": [
                "POST"
            ],
            "args": {
                "app_id": {
                    "description": "UUID предоставляемый приложением для уникальной идентификации. Рекомендуется использовать UUID v5 с пространством имен URL или DNS.",
                    "type": "string",
                    "format": "uuid",
                    "required": false
                },
                "name": {
                    "description": "Название пароля приложения.",
                    "type": "string",
                    "required": true
                }
            }
        },
        {
            "methods": [
                "DELETE"
            ],
            "args": []
        }
    ],
    "schema": { ... }
}

View User's Application Passwords

Retrieves all application passwords for the user. See WP_Application_Passwords::get_user_application_passwords().

Request Type

GET /wp/v2/users/{id}/application-passwords

Request Parameters

$context(string)
The scopes in which the request is made determine the fields in the response. Possible values: view, embed, edit.
Default: view

Example Request

GET https://wp-kama.ru/api/wp/v2/users/1/application-passwords

Response:

[
	{
		"uuid": "e76548d7-0274-438c-b04a-904301bda4d32",
		"app_id": "",
		"name": "Test",
		"created": "2020-12-23T13:47:55",
		"last_used": "2020-12-23T13:48:55",
		"last_ip": "89.149.201.210",
		"_links": {
			"self": [
				{
					"href": "https://wp-kama.ru/api/wp/v2/users/1/application-passwords/e76548d7-0274-438c-b04a-904301bda4d32"
				}
			]
		}
	},
	{
		"uuid": "e76548d7-0274-438c-b04a-987301bda4d32",
		"app_id": "",
		"name": "Test2",
		"created": "2020-12-23T13:49:08",
		"last_used": null,
		"last_ip": null,
		"_links": {
			"self": [
				{
					"href": "https://wp-kama.ru/api/wp/v2/users/1/application-passwords/e76548d7-0274-438c-b04a-987301bda4d32"
				}
			]
		}
	}
]

Create Application Password

Creates an application password. See WP_Application_Passwords::create_new_application_password().

Request Type

Access: requires authorization.

POST /wp/v2/users/{id}/application-passwords

Request Parameters

$name(string) (required)
The name of the application password.
$app_id(string)
UUID provided by the application for unique identification. It is recommended to use UUID v5 with a URL or DNS namespace.
Default: ''

Example Request

POST https://wp-kama.ru/api/wp/v2/users/1/application-passwords?name=Test2

Response:

{
	"uuid": "c9e5ce07-0ccb-4a2e-963a-feda93cf8bab",
	"app_id": "",
	"name": "Test2",
	"created": "2020-12-23T12:41:38",
	"last_used": null,
	"last_ip": null,
	"password": "pNFX LyvZ gz75 tiks UZiT xlSL",
	"_links": {
		"self": [
			{
				"href": "https://wp-kama.ru/api/wp/v2/users/1/application-passwords/c9e5ce07-0ccb-4a2e-963a-feda93cf8bab"
			}
		]
	}
}

Delete User's Application Passwords

Deletes all application passwords for the user. See WP_Application_Passwords::delete_all_application_passwords().

Request Type

Access: requires authorization.

DELETE /wp-json/wp/v2/users/1/application-passwords

Request Parameters

No parameters.

Example Request

DELETE https://example.com/wp-json/wp/v2/users/1/application-passwords

/wp/v2/users/{ID}/application-passwords/introspect

Retrieves the application password currently used for user authentication.

See WP_REST_Application_Passwords_Controller::get_current_item().

An OPTIONS request to the route will return a full description of this route.

OPTIONS http://demo.wp-api.org/wp-json/wp/v2/users/{ID}/application-passwords/introspect

Request Type

GET /wp/v2/users/{ID}/application-passwords/introspect

Request Parameters

$context(string)
The scope of the request determines the fields in the response. Possible values: view, embed, edit.
Default: view

/wp/v2/users/{ID}/application-passwords/uuid/wp/v2/users/me/application-passwords/uuid

These endpoints are the same as the previous ones, only they work with a specific application password.

An OPTIONS request to the route will return a full description of this route.

OPTIONS http://demo.wp-api.org/wp-json/wp/v2/users/{ID}/application-passwords/{uuid}
GitHub
{
    "namespace": "wp/v2",
    "methods": [
        "GET",
        "POST",
        "PUT",
        "PATCH",
        "DELETE"
    ],
    "endpoints": [
        {
            "methods": [
                "GET"
            ],
            "args": {
                "context": {
                    "description": "Рамки в которых сделан запрос, определяют поля в ответе.",
                    "type": "string",
                    "enum": [
                        "view",
                        "embed",
                        "edit"
                    ],
                    "default": "view",
                    "required": false
                }
            }
        },
        {
            "methods": [
                "POST",
                "PUT",
                "PATCH"
            ],
            "args": {
                "app_id": {
                    "description": "UUID предоставляемый приложением для уникальной идентификации. Рекомендуется использовать UUID v5 с пространством имен URL или DNS.",
                    "type": "string",
                    "format": "uuid",
                    "required": false
                },
                "name": {
                    "description": "Название пароля приложения.",
                    "type": "string",
                    "required": false
                }
            }
        },
        {
            "methods": [
                "DELETE"
            ],
            "args": []
        }
    ],
    "schema": { ... }
}

View Application Password

Retrieves the specified application password. See: WP_REST_Application_Passwords_Controller::get_item().

Request Type

GET /wp/v2/users/{ID}/application-passwords/{uuid}

Request Parameters

$context(string)
The scope of the request determines the fields in the response. Possible values: view, embed, edit.
Default: view

Example

GET https://example.com/wp-json/wp/v2/users/1/application-passwords/e79943d8-0367-287c-b07a-90001bda4d32

Response:

{
	"uuid": "e79943d8-0367-287c-b07a-90001bda4d32",
	"app_id": "",
	"name": "Test2",
	"created": "2020-12-23T13:49:08",
	"last_used": null,
	"last_ip": null,
	"_links": {
		"self": [
			{
				"href": "https://example.com/api/wp/v2/users/1/application-passwords/e79943d8-0367-287c-b07a-90001bda4d32"
			}
		]
	}
}

Update Application Password

Updates the password for the specified application. See: WP_REST_Application_Passwords_Controller::update_item().

Request Type

Access: requires authorization.

POST|PUT|PATCH /wp/v2/users/{user_id}/application-passwords/{uuid}

Request Parameters

$name(string) (required)
The name of the application password.

Example

POST https://example.com/wp-json/wp/v2/users/1/application-passwords/e77743d8-0367-287c-b07a-90001bda4d32

Delete Application Password

Deletes the user's passwords for the specified application. See: WP_REST_Application_Passwords_Controller::delete_item().

Request Type

DELETE /wp/v2/users/{user_id}/application-passwords/{uuid}

Request Parameters

No parameters.

Example

DELETE https://example.com/wp-json/wp/v2/users/1/application-passwords/e78743d8-0367-287c-b07a-90001bda4d32