If you have an app or service that needs to interact with WHMCS on behalf of your users, you need to leverage OAuth. WHMCS uses OAuth 2, an open specification, which allows users to authenticate with WHMCS to both verify their identity and give your app permission to access their data.
Once authorization is completed by a user, the OAuth process returns an access token to your app. The access token is a string generated by the WHMCS instance that you'll need to send with each subsequent API request to uniquely identify both your app and the end user.
There are several reasons we use OAuth. Most importantly, your app doesn't need to store or transmit the user's WHMCS password. OAuth also allows the user to authorize only a limited set of permissions and the user may revoke access at any time. This makes OAuth a safer and more secure form of API authorization for your users.
Typical OAuth/OpenID Connect Workflow
Here's how the process works.
- User presses a "Connect to WHMCS" button inside your app.
- Your app redirects the user to the WHMCS installation.
- The user logs into WHMCS and authorizes your app to access their WHMCS account using the permissions your app has requested.
- After the user approves your app, they'll be redirected back to your app with an authorization code.
- Your app can then use this authorization code to make a request for a re-usable access token which can be used to make subsequent requests to the WHMCS API. This takes place in the background and should not be visible to end users.
How does authentication work?
All OAuth requests require a valid API Client Credential Identifier and Secret. Credentials for OpenID connect can be created via the OpenID Connect admin interface. For Single Sign-On credentials, we recommend using the Provisioning Module API for Application Links. Alternatively, you can provision and manage OAuth Client Credentials via the WHMCS API.
The following API commands exist for interacting with OAuth/OpenID Connect credentials in WHMCS: