Revision as of 17:24, 25 November 2015

If you have an app or service that needs to interact with WHMCS on behalf of your users, you need to leverage OAuth. WHMCS uses OAuth 2, an open specification, which allows users to authenticate with WHMCS to both verify their identity and give your app permission to access their data.

Once authorization is completed by a user, the OAuth process returns an access token to your app. The access token is a string generated by the WHMCS instance that you'll need to send with each subsequent API request to uniquely identify both your app and the end user.

There are several reasons we use OAuth. Most importantly, your app doesn't need to store or transmit the user's WHMCS password. OAuth also allows the user to authorize only a limited set of permissions and the user may revoke access at any time. This makes OAuth a safer and more secure form of API authorization for your users.

OAuth 2 Workflow

Here's how the process works.

1. User presses a "Connect to WHMCS" button inside your app.
2. Your app redirects the user to the WHMCS installation.
3. The user logs into WHMCS and authorizes your app to access their WHMCS account using the permissions your app has requested.
4. After the user approves your app, they'll be redirected back to your app with an authorization code.
5. Your app can then use this authorization code to make a request for a re-usable access token which can be used to make subsequent requests to the WHMCS API. This takes place in the background and should not be visible to end users.

More Information

For more information, please refer to our OpenID Connect User Guide and OpenID Connect Developer Guide.