Application Passwords are WordPress-level credentials and are separate from MainWP API keys. They can be revoked without changing your login password.
What You’ll Learn
- Where Application Passwords are managed in MainWP Dashboard
- How to create and securely store a new password
- How to review usage and revoke credentials
- When to use Application Passwords vs API keys
Prerequisites
- MainWP Dashboard administrator access
- A WordPress user account that should own the credential
- HTTPS enabled on your Dashboard domain
Create an Application Password
Create a new credential
Enter a descriptive name (for example,
Claude Desktop, Zapier, or Internal Script) and create the password.Copy the generated password
Copy it immediately and store it in your password manager or secret store.
View and Revoke Passwords
In Dashboard > API Access > Application Passwords, you can review existing entries, including metadata such as creation time and last use details.- Revoke individual credentials that are no longer needed.
- Revoke all credentials for incident response or full rotation.
- Recreate passwords per integration to keep access scoped and auditable.
API Keys vs Application Passwords
| Credential Type | Best For | Auth Style | Managed In |
|---|---|---|---|
| API Key | MainWP REST API v2 integrations | Authorization: Bearer ... | Dashboard > API Access > API Keys |
| Application Password | Tools that use username/password auth (for example MCP or other WordPress REST clients) | HTTP Basic (-u user:password) | Dashboard > API Access > Application Passwords |
Security Recommendations
- Create a separate credential per tool or integration.
- Revoke unused credentials regularly.
- Avoid sharing one credential across multiple systems.
- Use a dedicated API user for production automations.
Related Resources
- REST API Overview - API key setup, endpoint categories, and request patterns
- MainWP MCP Server - Application Password-based AI tooling setup