Creating Application Password using REST API results in 401 regardless of JWT token

Because what you’re trying to do boils down to the fundamental question:

How do I log in to WordPress using only the REST API?

The answer: You can’t in stock/vanilla WordPress.


“message”: “You are not currently logged in.”,



“message”: “Sorry, you are not allowed to create application passwords for this user.”,

Are both expected and normal responses because:

  • if you make a request to /wp-json/wp/v2/users/me/application-passwords/ how would it know who “me” is? You have to be logged in and authenticated to use this endpoint
  • likewise, only someone logged in as the user with ID 1 or an administrator can use the /wp-json/wp/v2/users/1/application-passwords/ endpoint, both endpoints require an authenticated request.

Core provides 2 methods of authentication:

  • a session cookie with a REST API nonce, where the cookie was created by using the standard WordPress login process in a browser
  • a pre-configured application password, setup prior by the user or an administrator via the users profile page in WP Admin.

It is not possible to create and use these using only the REST API, hence the need to install additional plugins.

A lot of independent developers use JWT to work around this as it’s easier to implement, despite the security issues with the JWT system.

Enterprise and more experienced agencies use OAuth2, including and core official recommendations. Neither of these provide mechanisms for registration however, and neither are bundled in WordPress and require the installation of 3rd party plugins.