WordPress REST API error
WordPress REST API 401 Unauthorized.
A 401 usually means WordPress or the server did not accept an identity for the request. It is different from a 403, where identity may exist but permission fails.
Failure stage
Route request sent: the client called a REST URL.
Failed first: authentication identity is missing, malformed, stripped, or not valid for WordPress.
Not proven yet: route permission and callback logic.
401 evidence matrix
| Evidence | Likely cause | First check |
|---|---|---|
No Authorization header reaches PHP | Server strips header | Check hosting/.htaccess rewrite forwarding before changing passwords. |
| External script uses cookies/nonces | Wrong auth model | Use Application Password Basic auth over HTTPS. |
Basic header exists but 401 remains | Username/password shape wrong | Use WordPress username plus Application Password, not the normal login password. |
| Bearer token copied from another plugin | Unsupported auth plugin path | Confirm the token plugin is active and supports that route. |
| Works in browser, fails in Postman | Browser cookie session hiding missing auth | Test with a clean external request and explicit headers. |
Bad input example
GET https://example.com/wp-json/wp/v2/users/me
Authorization: Basic base64(admin:normal-wordpress-login-password)
Response: 401 UnauthorizedCorrected pattern
GET https://example.com/wp-json/wp/v2/users/me
Authorization: Basic base64(wp_username:application_password)
Use HTTPS.
Use the user's WordPress username.
Use an Application Password created for that user.
Pattern to verify in your environment.Do this first / not yet
Do this first
- Decide whether the client is browser same-origin or external.
- For external clients, test Application Password auth against
/wp-json/wp/v2/users/me. - Check whether the server forwards the
Authorizationheader.
Do not do this yet
- Do not make the route public just to remove 401.
- Do not paste live admin passwords into public tools.
- Do not debug
permission_callbackbefore identity is accepted.