Cleantalk’s Security plugin (different from their Anti-Spam plugin) auto-blocks REST API requests by default. One toggle fixes it.
Allow authenticated REST API access
- Cleantalk → Security → Settings.
- Find REST API Authorization.
- Set it to Allow Authenticated.
Cowork Bridge authenticates every call with a license key bearer plus an Application Password handoff, so it qualifies as “Authenticated” — Cleantalk will let it through.
The Anti-Spam plugin
Cleantalk’s Anti-Spam plugin is fine — it only operates on comment and form submissions, not REST API traffic. No action needed there.