Hello @swporg !
Thank you for reaching out!
I got a few questions just to get a better overview of what you are trying to achieve, and how:
- Which JWT plugin are you using, and what endpoint are you calling exactly when encountering this error?
- Just to make sure I understand correctly: when you mention “exclude the API” and “app password,” are you referring to excluding certain REST API routes from 2FA enforcement, or are you asking if WP 2FA disables the built-in WordPress Application Passwords feature when 2FA is enabled?
- Can you share a sanitized example request and full response JSON, including headers so we can see how you are performing these actions? Make sure to censor any sensitive or compromising site info from the screenshot.
- Are WordPress Application Passwords enabled for the affected user?
- Is REST enabled on the site or just partially enabled? Can you elaborate on any limitations or setup particularities?
- Is the user being enforced for 2FA via role or policy, or are any user-level exclusions applied?
- Is the site using HTTPS in production, and are you behind any WAF or reverse proxy that could alter auth headers?
For reference, we do have an article related to the new REST endpoints we have included in the most recent update, which can be accessed here – leaving this here just in case you haven’t already checked it.
Once we have more context on what and how you are trying to achieve, I will try to offer some guidance.
Looking forward to your response.
