From WHMCS Documentation

AutoAuth was deprecated in WHMCS 7.10 and removed in WHMCS 8.1.

What is AutoAuth?

AutoAuth stands for Automatic Authentication and is a method that lets you automatically log a user in from your own trusted third-party code. For example, you might use it if you have another software on your website that clients already log in to, and, once they have logged in to that, you don't want them to have to reauthenticate separately to access WHMCS.

How does it work?

AutoAuth works by constructing a special URL to redirect the user to WHMCS, which WHMCS then verifies. If it is valid, it activates the user's login session in WHMCS automatically before redirecting the user to the page you specified in the link.

This skips the need to know the user's password to access the user's account. Only use it when you have already authenticated the user in your own application.

The security comes from having a key that is shared only between your own WHMCS installation and the third-party code you're making the request from, and only knowing that key allows an AutoAuth request to be constructed for WHMCS.

Enabling/Disabling AutoAuth

AutoAuth is disabled by default. Up to two actions must be taken to enable it, depending on the installed version of WHMCS. First, you will need to add the following line to your WHMCS configuration.php file to define an AutoAuth key. The value needs to be a randomly-generated sequence of letters and numbers:

$autoauthkey = "abcXYZ123";

Second, you must enable Allow AutoAuth in the Security tab at Configuration () > System Settings > General Settings (WHMCS 8.0) or, for WHMCS 7.10, Setup > General Settings > Security. This step doesn't apply to WHMCS 7.9 and older.

Using AutoAuth

To use AutoAuth, formulate a request like the example below. This must contain the user's email address, the timestamp of the time the request was generated, the AutoAuth hash, and, optionally, a goto parameter to specify where to send the user after successful authentication.


In this example, it would in as the client and take them to the homepage after login.

  • The email variable needs to be the email address for the client account you wish to log in to.
  • The timestamp must be within 15 minutes of the server time for AutoAuth to be accepted. Otherwise, the link is considered expired.
  • The AutoAuth hash is generated by performing an SHA-1 hash of the email, timestamp, and AutoAuth key you defined earlier in the WHMCS configuration.php file. This should appear as follows:

$hash = sha1($email.$timestamp.$autoauthkey);

Sample Script

The sample code below demonstrates how you can use AutoAuth in your external application to a log a user in to WHMCS:

 * WHMCS AutoAuth Demo Script
 *  Docs:
// Define WHMCS URL & AutoAuth Key
$whmcsurl = "";
$autoauthkey = "strong_auto_auth_key_goes_here";
$timestamp = time(); // Get current timestamp
$email = ''; // Clients Email Address to Login
$goto = 'clientarea.php?action=products';
$hash = sha1($email . $timestamp . $autoauthkey); // Generate Hash
// Generate AutoAuth URL & Redirect
$url = $whmcsurl . "?email=$email&timestamp=$timestamp&hash=$hash&goto=" . urlencode($goto);
header("Location: $url");