WP rest api returns 404 only when author param is used

I have a multisite wordpress installation on aws linux, working perfectly fine. The WP Rest api is also working exactly as it should. Except for one single case.

/wp-json/wp/v2/posts?author=<some int>

For everything else, including my custom endpoints, and custom params/fields added to the api, it works perfectly. But the moment i add the author part, it returns 404 on all sites. eg:

/wp-json/wp/v2/posts?author_exclude=1     //this works
/wp-json/wp/v2/posts?page=2               // this also works
/wp-json/wp/v2/posts?page=2&author=abc    // this also works and returns invalid author
/wp-json/wp/v2/posts?page=2&author=1      // this returns 404 page not found

From some of the other similar questions, I found that this issue could be due to permalinks, but I am using custom permalinks

sitename/%year%/%monthnum%/%day%/%author%/%category%/%postname%/

I have tried changing the permalink to no effect. Another solution I found is to change all the deny to allow in htaccess. I am not well-versed in htaccess, so i have not modified it for fear of causing some security issues.
As for other related info, I am also using jwt and disable rest api plugin(with only jwt endpoints enabled).

Any help would be appreciated, please.

I’m facing the same problem with a Multisite running Wordfence and JWT. I’m not sure if the solution here works for your case…

The following doesn’t work, it gives a 404 response. If we remove data.author it works without problem.

jQuery.ajax({
    url: 'https://example.com/wp-json/wp/v2/posts',
    method: 'POST',
    crossDomain: true,
    dataType: 'json',
    data: { 'author':'1', 'title':'Hello world', 'content':'lorem ipsum', 'status':'publish' },
    beforeSend: function ( xhr ) {
        xhr.setRequestHeader( 'Authorization', 'Bearer <token>' );
    },
    success: function( data, txtStatus, xhr ) {
        console.log( xhr.status, data );
    }
});

This does work but I don’t know why:

fetch( 'https://example.com/wp-json/wp/v2/posts', {
    method: 'POST',
    body: JSON.stringify( {
        author: '1',
        content: 'lorem ipsum',
        title: 'Nice, it works!',
        status: 'publish'
    } ),
    headers: {
        'Content-Type': 'application/json',
        Authorization: 'Bearer <token>'
    }
} )
.then( res => res.json() )
.then( res => console.log( res ) );

I had three issues with Wordfence:

• I couldn’t make application passwords work;
• if we have 2FA enabled, authentication doesn’t work;
  I solved both above using an Editor user without 2FA nor app password;
• finally, not being able to set the author that brought me to this question.