[wp-trac] [WordPress Trac] #63754: Application password with REST API fails when logged in (Unauthorized), works when logged out — Regression from WP 6.8.2

WordPress Trac noreply at wordpress.org
Sat Jul 26 13:11:30 UTC 2025 

#63754: Application password with REST API fails when logged in (Unauthorized),
works when logged out — Regression from WP 6.8.2
-----------------------------------+-----------------------------
 Reporter:  elabinnovations        |      Owner:  (none)
     Type:  defect (bug)           |     Status:  new
 Priority:  normal                 |  Milestone:  Awaiting Review
Component:  Application Passwords  |    Version:  6.8.2
 Severity:  blocker                |   Keywords:
  Focuses:                         |
-----------------------------------+-----------------------------
 == Description
 After updating to WordPress 6.8.2, requests using **Application
 Passwords** with the REST API fail with `401 Unauthorized` **when the user
 is logged in to WordPress** in the browser.

 This behavior did **not** happen in earlier versions. Previously, REST API
 calls authenticated via Application Passwords worked regardless of login
 state.


 == Steps to Reproduce
 1. Create a new Application Password from the User Profile page.
 2. Use the password in a REST API request (e.g., via Postman or curl).
 3. While the user is **logged in** to the site in the browser, the REST
 call returns **401 Unauthorized**.
 4. If the user logs out, the same request starts working again.


 == Expected Behavior
 Application Password authentication should work independently of the
 browser login state, as it did in previous versions.


 == Actual Behavior
 REST requests using Application Passwords fail when the associated user is
 logged in.


 == Environment
 - WordPress version: 6.8.2
 - Browser: Any
 - Auth: Application Password (Basic Auth)
 - REST API endpoint: Any (e.g., `/wp-json/wp/v2/posts`)


 == Regression
 This issue is a regression — it worked properly in WordPress 6.8.1 and
 earlier.


 == Additional Notes
 This could potentially be related to recent security hardenings or session
 validation changes. Please investigate the recent updates to auth/session
 handling.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63754>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list