I’m seeing “The API Key you supplied is incorrect” when trying to connect to Zapier

Let’s start with some background. The API key referred to by Zapier is actually called an ‘Application Password’ in the WordPress ecosystem. Application passwords were introduced in WordPress 5.6, to enable you and your users to generate and use separate passwords for accessing website APIs such as REST API.

It is not the same as your WordPress password, that you use to access the backend. You cannot use an application password to log in to a WordPress site, this makes application passwords much more secure.

If you are trying to connect to Zapier with your usual WordPress password please stop. It will not work. Instead, follow the steps here to create an application password.

I have created my application password, but still get the error. Now what? #

It is important to point out that the application password service is provided by WordPress. It is not a part of Zapier, and is not a part of Ultimeter. If you cannot connect your website to Zapier, with Ultimeter activated, it is very likely that you would not be able to use application passwords with any service, with or without Ultimeter activated.

Let’s start with some basic troubleshooting. These are listed in the order we think you should try first.

Check application passwords are enabled #

Ultimeter comes with a handy indicator of whether application passwords are enabled. Just head to Ultimeter in your dashboard menu, then Enterprise Edition. Scroll to the bottom of the page, and you will see a status section. If application passwords are enabled, you will see a green tick.

Enterprise Edition Status Section

Make sure you are using SSL #

WordPress requires your site to be using SSL. You will know if you are using SSL, because your site will have a padlock in the browser address bar. If you do not see the padlock, you cannot use application passwords.

Deactivate all plugins #

Please deactivate all your plugins apart from Ultimeter. Some plugins, especially security plugins, turn off application passwords by default, or give you the option to do so. If you are concerned about turning off security plugins, most well developed ones will allow you to enable application passwords, so please make sure you have read all their documentation.

Make sure your web host isn’t blocking basic authentication #

Some hosting environments, usually Apache based, aren’t configured to pass the basic authentication headers from incoming requests to PHP so they are not present when the WordPress and Gravity Forms APIs attempt to authenticate requests, which can result in authentication errors.

WordPress had a number of reports of issues like this during the development of their REST API. An engineer at WPEngine investigated and confirmed it is a hosting issue which hosts can resolve by making a change to the Apache configuration on the server hosting the site.

With all your plugins disabled, you essentially have a ‘clean install’ of WordPress. Therefore the only remaining factor can be the server your site resides on. Please contact your web host and ask them to ensure the CGIPassAuth directive is enabled on the server hosting your site.

The WordPress REST API FAQ also includes additional solutions for this issue.

Next Steps #

If you have gone through the list above, please reach out to us for support. Because application passwords are separate to our product, our support may be limited to confirming the issue, and the steps you have taken yourself, and advising what you can do to proceed.