API Guide: Authentication
All API commands require prior authentication. To authenticate use the auth
command. Once authenticated the session is valid till the user is logged out or session times out.
For server-side PHP scripts, api-sl.php provides a more secure alternative to the standard session-based approach. It accepts the etoken returned in the login response as an encrypted Bearer token in the Authorization header, avoiding plain session IDs in URLs. See Using the WMD SED API from a PHP Script for full details.
| Parameter | Notes |
|---|---|
| c | always set to auth
|
| user | The user's login name. |
| pass | The password. |
| logout | Logout and close the session, valid only if already logged in and the session is valid.
If this parameter is used, the name and password values are irrelevant and ignored.
|
https://<install_path>/api.php?c=auth&user=name&pass=xxx
You will receive a response like
{
"status":"notok",
"user":"",
"group":"",
"error":"Invalid name or password (1\/6)"
}
or
{
"status":"ok",
"user":"setup-admin",
"group":"",
"error":"",
"secondary":0,
"userid":3,
"admin":false,
"fullname":"",
"displayname":"Setup Admin @ Example Inc",
"rights":1009,
"lastsignin":"2026-04-16 09:20:48",
"url":"https:\/\/<install_path>\/api.php",
"etoken":"<encrypted token>"
}
The etoken field is returned on every successful login regardless of which entry point is used.
When calling api.php directly, the standard session cookie handles authentication for subsequent
requests and the etoken is not needed. When using api-sl.php for server-side PHP
scripts, pass the etoken as a Bearer token in the Authorization header on all
subsequent requests:
Authorization: Bearer <etoken value>
Note that the etoken has a short validity window of 2 seconds by default. It is intended as a
single-use delivery mechanism for the session ID and should be used immediately after login. This window is
adjustable by the administrator via the $api_sl_token_expiry setting in config.php.
See Using the WMD SED API from a PHP Script for details.
