Title: REST API Basic Authentication vs JWT vs API Key
Last modified: June 15, 2023

---

# REST API Basic Authentication vs JWT vs API Key

 *  [wrip](https://wordpress.org/support/users/wrip/)
 * (@wrip)
 * [2 years, 11 months ago](https://wordpress.org/support/topic/rest-api-basic-authentication-vs-jwt-vs-api-key/)
 * The Basic Authentication using application password, which is provided by default
   in WP – is this Base64 encoded? How secure is it as compared to JWT and API Key
   authentication?

Viewing 1 replies (of 1 total)

 *  Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * (@bcworkz)
 * [2 years, 11 months ago](https://wordpress.org/support/topic/rest-api-basic-authentication-vs-jwt-vs-api-key/#post-16822540)
 * Basic Auth and application passwords are actually two different methods, neither
   being the default. The default is cookie authentication. Application passwords
   can be passed using Basic Auth _protocol_, but the hashing algorithm is different.
   Basic Auth is not intended for production environments. My understanding is it’s
   not very secure. Application passwords use the same portable hasher that is used
   for WP logins. The algorithm is still MD5 at its root, but it’s additionally 
   processed to make cracking more difficult. MD5 is used for broad compatibility
   reasons. You can get the hasher to use Blowfish instead by defining `CRYPT_BLOWFISH`
   as `1` or true in wp-config.php.
 * JWT and oAuth are the other options. I’m not knowledgeable about how they actually
   manage security, but I’m confident they are adequately secure. I’m unfamiliar
   with “API Key authentication”, not sure what you mean by that. Basic Auth is 
   the only one you’d want to avoid. Any of the others are fine, use whichever you’re
   most comfortable using. Personally, I like Application Passwords.

Viewing 1 replies (of 1 total)

The topic ‘REST API Basic Authentication vs JWT vs API Key’ is closed to new replies.

## Tags

 * [authentication](https://wordpress.org/support/topic-tag/authentication/)

 * In: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/)
 * 1 reply
 * 2 participants
 * Last reply from: [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * Last activity: [2 years, 11 months ago](https://wordpress.org/support/topic/rest-api-basic-authentication-vs-jwt-vs-api-key/#post-16822540)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics