Application passwords are access tokens that are generated specifically for an application outside of the general OAuth authorization flow. This means that an access token can be generated without using the flow of OAuth 2. In context, we will use the term “Access Token” but really this is just another term for an OAuth 2 Application Password.
WordPress natively supports Application Passwords since WordPress version 5.6 but the issue is that the manner in which they are used can be cumbersome to native authorization flows. This is why we added support for OAuth 2.
OAuth 2 Application Passwords, like stated above, are simply normal access tokens assigned to the scope of a given user to the token belongs. They can be used when making calls to the REST API or accessing custom resource server endpoints created by developers.
OAuth 2 Application password can be managed by visiting the profile page.
Notes
- Currently only 1 OAuth 2 Application Password can be generated at a time.