Response to preflight request doesn’t pass access control check

Not sure, but the plugin code is very basic only a few functions. You may want to take a look and see if there is any change that can be made. As far as I know, the plugin is just using default/core WP functionality to disable the REST API. It doesn’t make any exceptions for application passwords, etc. If all else fails try one of the other, more robust, REST API plugins that provide options to do things that what you are describing, etc.

I hope this helps, let me know if I can provide any further infos.

Thanks for the quick reply!

I will check and see if any changes can be made.

The app actually does make an exception for application passwords because I am able to authenticate with an application password in Postman. So if it is not meant to do that, you might want to fix that.

I’m not familiar with Postman, but if it is a free app or service and you want to provide steps to replicate the issue, I would be glad to investigate asap.

Postman is a tool for API development so I was using it to make GET calls to the API. But you can replicate this in Terminal:

curl --location --request GET 'https://xxxxxxxxx.com/wp-json/wp/v2/posts' --header 'Authorization: Basic username:app-password'

Okay thanks. Does the request go thru without the username and password?

No the request does not go through without authentication.

Yeah what I think is happening is that the plugin is using default WP hooks, etc. to disable REST API in general. But when you pass credentials WP allows the request to go thru successfully.