In 2015, WordPress 4.4 introduced a REST API, but one thing that has severely limited its broader use is the lack of authentication capabilities for third-party applications. After considering the benefits and drawbacks of many different types of authentication systems, George Stephanis published a proposal for integrating Application Passwords, into core.
Stephanis highlighted a few of the major benefit that were important factors in the decision to use Application Passwords: the ease of making API requests, ease of revoking credentials, and the ease of requesting API credentials. The project is available as a standalone feature plugin, but Stephanis and his collaborators recommended WordPress merge a pull request that is based off the feature plugin’s codebase.
After WordPress 5.6 core tech lead Helen Hou-Sandi gave the green light for Application Passwords to be merged into core, the developer community responded enthusiastically to the news.
“I am/we are 100% in favor of this,” Joost deValk commented on the proposal. “Opening this up is like opening the dawn of a new era of WordPress based web applications. Suddenly authentication is not something you need to fix when working with the API and you can just build awesome stuff.”
Stephanis’ proposal also mentioned how beneficial a REST API authentication system would be for the Mobile teams‘ contributors who are relying on awkward workarounds while integrating Gutenberg support.
“This would be a first step to replace the use of XMLRPC in the mobile apps and it would allow us to add more features for self hosted users,” Automattic mobile engineer Maxime Biais said.
After the REST API was added to WordPress five years ago, many had the expectation that WordPress-based web applications would start popping up everywhere. Without a reliable authentication system, it wasn’t easy for developers to just receive inspired and build something quickly. Application Passwords in WordPress 5.6 will open up a lot of possibilities for those who were previously deterred by the lack of core methods for authenticating third-party access.