[wp-trac] [WordPress Trac] #63754: Application password with REST API fails when logged in (Unauthorized), works when logged out — Regression from WP 6.8.2
WordPress Trac
noreply at wordpress.org
Mon Aug 18 06:42:33 UTC 2025
#63754: Application password with REST API fails when logged in (Unauthorized),
works when logged out — Regression from WP 6.8.2
-----------------------------------+----------------------
Reporter: elabinnovations | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Application Passwords | Version: 6.8.2
Severity: blocker | Resolution: invalid
Keywords: close | Focuses:
-----------------------------------+----------------------
Comment (by elabinnovations):
Hi @mindctrl
Thanks again
I’ve identified the problem: when the REST API request contains the
`wordpress_logged_in_*` (eg: `Cookie:
wordpress_test_cookie=WP%20Cookie%20check;
SignonSession=8d9e72a90f731d6429532f0ff72a26d3; wp_lang=en_US;
wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1756707188%7CyY973u1MXtrAIGENdOKzfxKPN0FeNshlQFzPhZl1Odr%7C2d2ccdb1b4e95482f06806eed4e23329a96565e6159c04d95d77274d2145c1c2;
user_id=1; wp-settings-1=deleted; wp-settings-time-1=1755497588` cookies,
Application Password authentication fails.
If I strip those cookies, the Application Password works as expected.
So the issue is tied to being logged in — WordPress sets the
`wordpress_logged_in_*` cookies during login, and those cookies interfere
with Application Password authentication, causing it to fail with a 401
Unauthorized.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63754#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list