In WHMCS 7.2 and later, you can generate unique API authentication credentials. This allows for better management and security for provisioning access to API connected devices and systems.

For more information about using the WHMCS API, see our API documentation.

Managing API Roles

To manage admin API authentication roles in the Admin Area, go to Configuration () > System Settings > Manage API Credentials or, prior to WHMCS 8.0, Setup > Staff Management > Manage API Credentials.

Creating Admin API Roles

To create an admin API role:

1. Go to Configuration () > System Settings > Manage API Credentials or, prior to WHMCS 8.0, Setup > Staff Management > Manage API Credentials.
2. Click Create API Role to open the Role Management modal.
3. Enter a role in the Role Name section.
4. Check the desired API permissions.
5. Optionally, enter a description.

Managing API Credentials

To manage admin API authentication credentials, go to Configuration () > System Settings > Manage API Credentials or, prior to WHMCS 8.0, Setup > Staff Management > Manage API Credentials.

Creating Admin API Authentication Credentials

To create new admin API authentication credentials:

1. Go to Configuration () > System Settings > Manage API Credentials or, prior to WHMCS 8.0, Setup > Staff Management > Manage API Credentials.
2. Click Generate New API Credential to open the Generate New API Credential modal.
3. Select the admin who the new credential will authenticate.
4. Optionally, enter a description.
5. Click Generate to provision a unique API credential for the selected admin. The credential identifier and secret will display.
   • These two values should be used in leu of the admin's username and password for API authentication.
   • To the right of each value is a quick copy button for your convenience.
     You must copy the Secret value at this time. If you lose this, you will need to generate a new credential pair.
6. Click the X at the top right corner to exit.

The new API credential will appear in the list.

You may create as many API credential pairs for an admin as you require. You may remove any credential pair to invalidate access and authentication attempts that are received with that Identifier.

Furthermore, you may alter the admin's login password freely without invalidating credentials provisioned by this feature. If you disable or remove entirely an admin user, any associated API credentials will become invalid. As noted above, if your copy of the Secret is forgot or otherwise unknown, simply create a new API credential pair, then use the freshly generated Identifier and Secret in your integration. We advise you promptly delete the former credential pair whose secret is unknown

Updating Credential Descriptions

You may update the description and associated API Roles at any time. Find the credential you wish to edit in the table list. Click the associated edit button (depicted by a pencil icon) to open the Credential Management dialog screen.

You may update just the description for a credential at any time directly in the description field of the table. This field is provided to enable effective management of multiple credentials associated with a given admin users and for your contextual use.

To simply update a description, locate the desired credential by utilizing the API Credential table's search function and/or by using column sorting & pagination. Once you have found the credential, click the current description to active the editor.

Once you have typed in the new description, click the check button to the immediate right.

Removing Admin API Authentication Credentials

You may revoke API authentication by removing a generated credential.

To remove a authentication with a given credential, locate the desired credential by utilizing the API Credential table's search function and/or by using column sorting and pagination. Once you have found the credential to be removed, click the delete button found in the right most column of that row.

A confirmation dialog screen will be presented. Click the Delete Credentials button to permanently remove the credential.