feat: Expand application password abilities

[dcalhoun]

Allow authenticating for admin-ajax and post preview requests with application passwords. This enables cookie-less clients—e.g, the iOS and Android mobile apps—to successfully authenticate these requests.

Ref CMM-713. Close CMM-766.

Proposed changes:

Leverage the application_password_is_api_request filter to conditionally extend application password authentication for:

• admin-ajax
• Post previews

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

• pbArwn-7AD-p2
• p5TWut-1qz-p2

Does this pull request change what data or activity we track or use?

No

Testing instructions:

Important

Apply these Jetpack changes to your site (see comment) before testing.

Important

Replace the placeholder values (wrapped with <some_value>) with valid information.

1. Authenticate VideoPress admin-ajax requests with application passwords

1. Request a VideoPress admin-ajaxaction:

   curl -I 'https://<site_domain>/wp-admin/admin-ajax.php?action=videopress-get-upload-jwt'

2. Verify the 400 response without an authentication token.
3. Request a VideoPress admin-ajaxaction:

   curl -I 'https://<site_domain>/wp-admin/admin-ajax.php?action=videopress-get-upload-jwt' \
     -H "Authorization: Basic $(echo -n '<username>:<application_password>' | base64)"

4. Verify the 200 response with an authentication token for VideoPress actions.
5. Request a non-VideoPress admin-ajaxaction:

   curl -I 'https://<site_domain>/wp-admin/admin-ajax.php?action=ajax-tag-search&tax=post_tag&q=<example_tag>&number=20' \
     -H "Authorization: Basic $(echo -n '<username>:<application_password>' | base64)"

6. Verify the 400 response with an authentication token for non-VideoPress actions.

2. Authenticate draft post preview request with application passwords

1. Save a draft post and note the post ID.
2. Request a preview:

   curl -I 'https://<site_domain>/?p=<draft_post_id>&preview=true'

3. Verify the 404 response without an authentication token.
4. Request a preview:

   curl -I 'https://<site_domain>/?p=<draft_post_id>&preview=true' \
     -H "Authorization: Basic $(echo -n '<username>:<application_password>' | base64)"

5. Verify the 200 response with an authentication token.

3. Retrieve application password abilities

1. Request the REST API endpoint:

   curl 'https://<site_domain>/wp-json/wpcom/v2/application-password-extras/abilities' \
     -H "Authorization: Basic $(echo -n '<username>:<application_password>' | base64)"

2. Verify the expected response:

   {"admin-ajax":true,"post-previews":true}

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the feat/expand-application-passwords-abilities branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack feat/expand-application-passwords-abilities

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

---

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

• WordPress.com Simple releases happen as soon as you deploy your changes after merging this PR (PCYsg-Jjm-p2).
• WoA releases happen weekly.
• Releases to self-hosted sites happen monthly:
  • Scheduled release: March 3, 2026
  • Code freeze: March 3, 2026

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 1 file.

File	Coverage	Δ%	Δ Uncovered
projects/plugins/jetpack/load-jetpack.php	1/44 (2.27%)	-0.11%	2 ❤️‍🩹

2 files are newly checked for coverage.

File	Coverage
projects/plugins/jetpack/_inc/lib/core-api/wpcom-endpoints/class-wpcom-rest-api-v2-endpoint-application-password-extras.php	42/53 (79.25%) 💚
projects/plugins/jetpack/_inc/lib/class-jetpack-application-password-extras.php	18/20 (90.00%) 💚

Full summary · PHP report · JS report

[dcalhoun]

@jkmassel I'm realizing this is too broad and problematic. Effectively, any request can append ?preview=true&p=anything and enable application password authentication for the request.

That effectively nullifies the VideoPress actions limitation. It also expands the potential usage surface immensely, even beyond admin-ajax.

Unfortunately, I don't believe there is a more explicit way to identify a request for post preview. Claude suggested...

• Appending && ! is_admin(), but I imagine there are non-admin requests that could still be manipulated.
• Leveraging the presence of WP_USE_THEMES, but this feels brittle as I'm sure that value was never intended for this purpose.

It feels like we shouldn't pursue token authentication for post previews. We might instead...

• Retain the approach of token → cookie exchange for sites with Jetpack.
• Notify users they may need to log in to their site and launch users to their OS browser.

[Copilot]

Pull request overview

This PR extends WordPress Application Password authentication capabilities to support cookie-less clients (like mobile apps) by allowing authentication for:

1. VideoPress AJAX actions via admin-ajax.php
2. Post and page preview requests

The implementation leverages the application_password_is_api_request filter to conditionally enable these abilities while maintaining security by restricting them to specific, controlled use cases.

Changes:

• Adds new Jetpack_Application_Password_Extras class to extend application password functionality beyond REST API
• Introduces REST API endpoints to query application password abilities
• Includes comprehensive test coverage for both core functionality and REST endpoints

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
projects/plugins/jetpack/_inc/lib/class-jetpack-application-password-extras.php	Core implementation extending application password authentication for VideoPress AJAX actions and post previews
projects/plugins/jetpack/_inc/lib/core-api/wpcom-endpoints/class-wpcom-rest-api-v2-endpoint-application-password-extras.php	REST API endpoint to retrieve application password abilities
projects/plugins/jetpack/load-jetpack.php	Initializes the new application password extras functionality
projects/plugins/jetpack/tests/php/_inc/lib/Jetpack_Application_Password_Extras_Test.php	Comprehensive unit tests for core functionality
projects/plugins/jetpack/tests/php/core-api/wpcom-endpoints/WPCOM_REST_API_V2_Endpoint_Application_Password_Extras_Test.php	Unit tests for REST API endpoints
projects/plugins/jetpack/changelog/feat-expand-application-passwords-abilities	Changelog entry documenting the changes