Let's assume a standard wordpress website on https://example.com.au/. We have created a dev version of the website at https://example.com.au/dev.

We have installed and enabled a tool called miniOrange into our Wordpress 5.8 installation on the dev site. We have set up application passwords. Because we're using the free version of miniOrange, we've enabled Basic Authentication with Base64 Encoding of the username:password tuple.

We're using Visual Studio Code's REST Client to send the request. The request is below (slightly obfuscated):

POST https://www.example.com.au/dev/wp-json/wp/v2/pages HTTP/1.1
Content-Type: application/json
Authorization: Basic WeAreNotAllowedToShowYouThisString

{
    "slug": "a-test",
    "status": "draft",
    "content": "<h1>booM</h1>",
    "title": "A Test"
}

When we send POST requests to the https://example.com.au/dev/wp-json/wp/v2/pages endpoint we receive the following:

HTTP/1.1 401 Unauthorized
Connection: close
X-Powered-By: PHP/7.4.22
Content-Type: application/json; charset=UTF-8
Content-Length: 153
Date: Thu, 02 Sep 2021 09:15:40 GMT
Server: LiteSpeed
Alt-Svc: quic=":443"; ma=2592000; v="43,46", h3-Q043=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-25=":443"; ma=2592000, h3-27=":443"; ma=2592000

{
  "status": "error",
  "error": "INVALID_AUTHORIZATION_HEADER_TOKEN_TYPE",
  "code": "401",
  "error_description": "Authorization header must be type of Basic Token."
}

There are a number of confusing things here, not least being that we have Authorization: Basic WeAreNotAllowedToShowYouThisString but we're receiving Authorization header must be type of Basic Token.

Has anyone seen anything like this and if so, what did you do to solve it? (We have written to miniOrange too.)