Fixing the REST API 401 Error After WordPress 6.x Update

I was running a headless WordPress setup — React frontend consuming the REST API — when a routine WordPress update broke everything. Every authenticated API request started returning 401 Unauthorized. The public endpoints still worked fine, but anything requiring authentication was dead.

The Root Cause: Application Passwords

WordPress 6.x tightened security around the REST API authentication. The issue in my case was that my server was stripping the Authorization header before WordPress could read it. This is a common Apache/Nginx misconfiguration that only becomes apparent after security changes in core.

The Apache Fix

If you are running Apache, add this to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

For Nginx, ensure your config passes the header:

fastcgi_param HTTP_AUTHORIZATION $http_authorization;

CORS Headers for Headless Setups

The second issue was CORS. My React app on a different domain was sending preflight OPTIONS requests, and WordPress was not responding to them correctly. I added a small filter in my theme:

add_action("rest_api_init", function () {
    remove_filter("rest_pre_serve_request", "rest_send_cors_headers");
    add_filter("rest_pre_serve_request", function ($value) {
        $origin = get_http_origin();
        if ($origin) {
            header("Access-Control-Allow-Origin: " . esc_url_raw($origin));
            header("Access-Control-Allow-Credentials: true");
            header("Access-Control-Allow-Headers: Authorization, Content-Type");
        }
        return $value;
    });
});

Testing the Fix

I verified the fix with a simple curl command:

curl -I -H "Authorization: Basic BASE64_CREDENTIALS" \
  https://example.com/wp-json/wp/v2/posts

Once I saw 200 OK instead of 401, I knew the issue was resolved. If you are building headless WordPress applications, always test your authentication flow after core updates.