Support » Alpha/Beta/RC » How to use permission_callback with remote application passwords

  • Resolved Tijmen Smit


    Maybe I’m overlooking something, or thinking about this in the wrong way. But I installed the 5.6 beta and created an application pw that I intend to use with the REST API.

    So let’s say you want to use it with WP_REST_Server::CREATABLE and make sure only request from users that have a valid application pw are allowed to create new posts for a specific custom post type.

    What would I pass to the permission_callback, to see if the passed username:pw for the application are valid?

    I can’t find any documentation on this.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Timothy Jacobs


    Hi @tijmensmit,

    Thanks for being an early tester of Application Passwords!

    Application Passwords works like other REST API authentication mechanisms, where the current user is set automatically according to the credentials passed to WordPress.

    So in your permission callback, you should verify based on a user’s capabilities, not on the fact that they successfully used an Application Password. For instance, current_user_can( 'edit_posts' ).

    Checking that they used an App Password is strongly discouraged.

    1. It ties your REST API route to a specific means of authentication. That means it won’t work with cookie based authentication, or if new auth mechanisms are introduced they won’t work either. Additionally, it makes it significantly more complex to unit test.

    2. Any user can have an App Password, it doesn’t tell you anything about their capabilities. That’s why you should always use the Capabilities API.

    Thread Starter Tijmen Smit


    Thanks for the explanation, it makes a lot of sense, and I was indeed thinking about it in the wrong way 🙂

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘How to use permission_callback with remote application passwords’ is closed to new replies.