> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mainwp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Application Passwords

> Create, view, and revoke WordPress Application Passwords from MainWP Dashboard API Access for integrations that use username and password-based API auth.

MainWP Dashboard includes a dedicated **Application Passwords** screen under **API Access** so you can manage credentials without leaving the Dashboard navigation.

<Note>
  Application Passwords are WordPress-level credentials and are separate from MainWP API keys. They can be revoked without changing your login password.
</Note>

## What You'll Learn

* Where Application Passwords are managed in MainWP Dashboard
* How to create and securely store a new password
* How to review usage and revoke credentials
* When to use Application Passwords vs API keys

***

## Prerequisites

* MainWP Dashboard administrator access
* A WordPress user account that should own the credential
* HTTPS enabled on your Dashboard domain

***

## Create an Application Password

<Steps>
  <Step title="Open Application Passwords">
    Go to **Dashboard > API Access > Application Passwords**.
  </Step>

  <Step title="Create a new credential">
    Enter a descriptive name (for example, `Claude Desktop`, `Zapier`, or `Internal Script`) and create the password.
  </Step>

  <Step title="Copy the generated password">
    Copy it immediately and store it in your password manager or secret store.

    <Warning>
      The full password is shown only once.
    </Warning>
  </Step>

  <Step title="Test authentication">
    Use the WordPress username with the Application Password in HTTP Basic authentication.
  </Step>
</Steps>

```bash theme={null}
curl -u "USERNAME:APPLICATION_PASSWORD" \
  "https://your-dashboard.com/wp-json/wp-abilities/v1/abilities"
```

***

## View and Revoke Passwords

In **Dashboard > API Access > Application Passwords**, you can review existing entries, including metadata such as creation time and last use details.

* Revoke individual credentials that are no longer needed.
* Revoke all credentials for incident response or full rotation.
* Recreate passwords per integration to keep access scoped and auditable.

***

## API Keys vs Application Passwords

| Credential Type      | Best For                                                                                | Auth Style                      | Managed In                                         |
| -------------------- | --------------------------------------------------------------------------------------- | ------------------------------- | -------------------------------------------------- |
| API Key              | MainWP REST API v2 integrations                                                         | `Authorization: Bearer ...`     | **Dashboard > API Access > API Keys**              |
| Application Password | Tools that use username/password auth (for example MCP or other WordPress REST clients) | HTTP Basic (`-u user:password`) | **Dashboard > API Access > Application Passwords** |

***

## Security Recommendations

* Create a separate credential per tool or integration.
* Revoke unused credentials regularly.
* Avoid sharing one credential across multiple systems.
* Use a dedicated API user for production automations.

***

## Related Resources

* [REST API Overview](/api-reference/rest-api/overview) - API key setup, endpoint categories, and request patterns
* [MainWP MCP Server](/api-reference/abilities-api/mcp-server) - Application Password-based AI tooling setup