Got the following code running on a local wordpress install. I have created an application password for the admin user but am still getting a 401 unauthorised. What am i missing?

Here's the code

jQuery.ajax({
                    type: "POST",
                    dataType: "json",
                    url: '/wp-json/wp/v2/posts',
                    data: JSON.stringify({  
                    title: me.title(),
                    content: 'Here is some content',
                    status: 'published'
                    }),
                    beforeSend: function ( xhr ) {
                        xhr.setRequestHeader('Authorization', 'Basic admin:DqfX r0YT hQE5 lsgu 2Y7d PJv5');
                    },
                    success: function (data) {
                        alert("posted");
                    },
                    error: function (error) {
                        alert("FAILD:" + error);
                    }
                });

Got the following code running on a local wordpress install. I have created an application password for the admin user but am still getting a 401 unauthorised. What am i missing?

Here's the code

jQuery.ajax({
                    type: "POST",
                    dataType: "json",
                    url: 'http://the-lead-magnet-company.local/wp-json/wp/v2/posts',
                    data: JSON.stringify({  
                    title: me.title(),
                    content: 'Here is some content',
                    status: 'published'
                    }),
                    beforeSend: function ( xhr ) {
                        xhr.setRequestHeader('Authorization', 'Basic admin:DqfX r0YT hQE5 lsgu 2Y7d PJv5');
                    },
                    success: function (data) {
                        alert("posted");
                    },
                    error: function (error) {
                        alert("FAILD:" + error);
                    }
                });

• rest-api
• authentication

• You need to invalidate that application password, it is no longer secure. Btw where is this code running? If this code is running on a page served by the-lead-magnet-company.local then the use of basic authentication is unnecessary and inappropriate – Tom J Nowell ♦ Commented Jan 24, 2022 at 18:18
• It’s local. It ain’t going anywhere near a live system – Codescribler Commented Jan 24, 2022 at 18:19
• Can I ask, why are you using HTTP basic auth for authentication? You only need this is you're interacting with a remote REST API or from an application/CLI – Tom J Nowell ♦ Commented Jan 24, 2022 at 18:23
• I’m trying to follow the docs for doing a post Ajax call. I’m guessing from your response I don’t need it. – Codescribler Commented Jan 24, 2022 at 18:25
• Without it I still get a 401 – Codescribler Commented Jan 24, 2022 at 18:26

1 Answer 1

You should use cookie based authentication instead of basic auth. Delete the basic auth/application password authentication code.

Follow the cookie authentication example that creates a post via the REST API from the REST API handbook:

https://developer.wordpress/rest-api/using-the-rest-api/authentication/#cookie-authentication

1. Create a valid nonce for use in your AJAX requests in PHP wp_create_nonce( 'wp_rest' ) as the docs tell you to
2. Add a beforeSend to your AJAX call like the docs suggest that adds the nonce in a HTTP header:

    beforeSend: function ( xhr ) {
        xhr.setRequestHeader( 'X-WP-Nonce', your_nonce_variable );
    },

3. Make the request while logged into the site from the same domain