What are WordPress Application Passwords?

When you connect your WordPress site to 42flows, we ask for an Application Password — not your regular WordPress login password. This is a WordPress-native feature, added in WordPress 5.6 (December 2020), designed specifically for connecting external services to your site safely.

How they're different from your normal password

If you gave 42flows your main password, we'd have the same access as you — dashboard, plugin installs, theme edits, everything. Application Passwords scope us down to exactly what we need: creating and updating posts via the REST API.

What 42flows does with the Application Password

We use it to make authenticated requests to your site's REST API for three things:

1. Publish posts — POST /wp-json/wp/v2/posts to publish generated content.
2. Set SEO meta — if Yoast, Rank Math, or AIOSEO is installed, we write the SEO title, description, and focus keyphrase via their meta fields.
3. Manage categories — POST /wp-json/wp/v2/categories to auto-create the categories we organize content into (guides, problems, solutions, etc.).

We never access your user list, settings, theme files, or plugin files. The Application Password can't do any of that — it only has the edit_posts capability scope.

Revoke access anytime

If you ever want to stop 42flows from publishing to your site:

1. Log in to WordPress admin.
2. Go to Users → Profile.
3. Scroll to Application Passwords.
4. Find the one named 42flows and click Revoke.

The connection breaks instantly. Your main password is unaffected.

Why this matters

The alternative — asking you to share your main password or install a custom API key plugin — is how a lot of older integrations still work. Those are both riskier and clunkier. Application Passwords are the right way to do this in 2026: built into WordPress core, endorsed by the WordPress project, and standard across the ecosystem.

Related guides

• Wordfence is blocking Application Passwords — how to unblock them if a security plugin is in the way.