Hi Peter – Found the problem! I am using Application Passwords to create authentication credentials for the REST API requests. There is a WordFence setting buried waaaay in the annals of the settings page (All Options -> Firewall Options -> Brute Force Protection -> Additional Options) that says ‘Disable application passwords’. I simply unchecked this box and the API requests were no longer blocked. I also found that if Wordfence is set to block application passwords, if you go to the Application Passwords section of the user account where the credentials are set up, there will be a message saying that Wordfence is blocking application passwords, and a button that will take you to the place in Wordfence settings where you can uncheck this box. Thanks very much for your help!
