Use WordPress Application Passwords for API access. Do not use a primary account password in application configuration.
Generated Application Password values are returned only when WordPress creates the credential. Store that value immediately in a secret manager or environment variable.
Never log:
- authorization headers
- raw Application Passwords
- cookies
- tokens or secrets
Structured SDK exception payloads redact common sensitive keys and Basic/Bearer credential strings.