API:Login

This page is part of the MediaWiki API documentation.

Language:	English  • Deutsch • español • français • 日本語 • русский • 中文 • 中文（繁體）‎

When using MediaWiki's web service API, you will probably need your application or client to log in. This involves submitting a login query, constructing a cookie, and confirming the login by resubmitting the login request with the confirmation token returned.

Whether to log in [edit]

Your client will need to log in to MediaWiki if:

• it needs to obtain information or carry out an action that is restricted to users with certain rights
• it is making large queries that would be inefficient without the higher per-request limits reserved for accounts with certain rights

On wikis that allow anonymous editing, it's possible to edit through the API without logging in, but it's highly recommended that you do log in. On private wikis, logging in is required to use any API functionality.

For the technical details concerning logging in, see the login manual page.

If your client is written in JavaScript, it'll usually act with the credentials of the user who's running it. In this case, you won't need to login using the web service API--you'll just need to ensure that the user has logged in through the web interface.

Application-specific user accounts [edit]

Rather than having your application log in as yourself, you may want to create a separate user account just for your application. This is especially important if your application:

• is carrying out automated editing or some other bulk operation.
• invokes large or performance-intensive queries.

With a separate account, the changes made by your application can be easily tracked, and special rights (usually a "bot" user group) can be applied to the application's account. Some wikis have a policy related to automated editing, and/or a procedure for dealing with "bot" user group requests.

Login gets several tokens that are needed by the server to recognize the logged-in user. In every call to api.php, the cookie set by this request must be passed. The cookies last for around a month and you should check that you need to log in based on detecting that you're not logged in (rather than logging once per session, for example).

How to log in [edit]

Logging in through the API requires submitting a login query and constructing a cookie (many frameworks will construct the cookie automatically). In MediaWiki 1.15.3+, you must confirm the login by resubmitting the login request with the token returned.

Structure of login request [edit]

Send a login request using POST (GET requests will cause an error).

<?xml version="1.0" encoding="utf-8"?>
<api>
  <login
    result="NeedToken"
    token="b5780b6e2f27e20b450921d9461010b4"
    cookieprefix="enwiki"
    sessionid="17ab96bd8ffbe8ca58a78657a918558e"
  />
</api>

This request will also return a session cookie in the HTTP header (Set-Cookie: enwiki_session=17ab96bd8ffbe8ca58a78657a918558e; path=/; domain=.wikipedia.org; HttpOnly) that you have to return for the second request if your framework does not do this automatically. The sessionid parameter was added in MedaWiki 1.17 and later. Note that you need to supply a parameter format=xml if MediaWiki returns HTML instead of XML.

You might need to add the query parameter lgdomain, containing your domain name for authentication, if you're using an authentication plug-in like Extension:LDAP Authentication.

Confirm token [edit]

If the response to the above query was Success instead of NeedToken, you can skip this step. (This extra step was added in MediaWiki 1.15.3.) In MediaWiki 1.15.4, first phase of login in ApiLogin.php is broken, so login/sessionid parameter is not returned, thus token confirmation is impossible. Apply ApiLogin.php file from MediaWiki 1.15.5 to your installation as a quick workaround while you plan your upgrade to 1.15.5. ApiLogin.php from MediaWiki 1.16+ is incompatible with MediaWiki 1.15.3+.

Send a login request with POST, with confirmation token in body and the login token in the header as returned from previous request.

<?xml version="1.0" encoding="utf-8"?>
<api>
  <login
    result="Success"
    lguserid="12345"
    lgusername="Bob"
    lgtoken="4db760e273b413549a32ba4eb06d08db"
    cookieprefix="enwiki"
    sessionid="17ab96bd8ffbe8ca58a78657a918558e"
  />
</api>

Construct cookies [edit]

A successful action=login request will set session cookies. Many frameworks will handle these cookies automatically (such as the cookiejar in cURL); if not, you will have to create them yourself.

If your wiki is not using the CentralAuth extension, you can construct them from the data returned as follows:

In the example above, you'd set the following cookie from the first request and send it for the second request:

• enwiki_session = 17ab96bd8ffbe8ca58a78657a918558e (from the HTTP cookie enwiki_session)

Additionally, you have to set after logged in sucessfully:

• enwikiUserName = Bob (from the lgusername field)
• enwikiUserID = 12345 (from the lguserid field)
• enwikiToken = 4db760e273b413549a32ba4eb06d08db (from the lgtoken field)

Note that the enwiki part is different for every wiki, and is returned in the cookieprefix field.

When CentralAuth is enabled, as on Wikimedia wikis, the above method will only work on a single wiki. If you would like to use the advantages of Single-User-Login to be logged in on all wikis, the only usable option is to also parse the Set-Cookie: headers manually and create additional cookies, instead of just accepting the cookies that it sets (which only sets them for the single wiki)

CentralAuth SUL Login [edit]

• Login in as usual.
• From the headers (especially from the second reponse) accept the cookies that it wants to set (typically there are 6 cookies being set. For example on Wikimedia Commons: commonswiki_session, centralauth_User, centralauth_Token, centralauth_Session, commonswikiUserID and commonswikiUserName). This part is usually covered by frameworks such as cURL with a cookiejar.
• Now you have to parse the cookie by looking for the centralauth_ cookies and adding additional entries for all other wikis that centralauth covers in your setup.
  In the case of Wikimedia the cookie should be duplicated and added for following domains:
  • .wikipedia.org
  • .meta.wikimedia.org
  • .wiktionary.org
  • .wikibooks.org
  • .wikiquote.org
  • .wikisource.org
  • .commons.wikimedia.org
  • .wikinews.org
  • .wikiversity.org
  • .mediawiki.org
  • .wikidata.org
  • .species.wikimedia.org
  • .incubator.wikimedia.org
  • .wikivoyage.org

Errors [edit]

Errors are returned in the result field. Possible values are:

• NoName
  • You didn't set the lgname parameter
• Illegal
  • You provided an illegal username
• NotExists
  • The username you provided doesn't exist
• EmptyPass
  • You didn't set the lgpassword parameter or you left it empty
• WrongPass
  • The password you provided is incorrect
• WrongPluginPass
  • Same as WrongPass, returned when an authentication plugin rather than MediaWiki itself rejected the password
• CreateBlocked
  • The wiki tried to automatically create a new account for you, but your IP address has been blocked from account creation
• Throttled
  • You've logged in too many times in a short time. See also throttling
• Blocked
  • User is blocked
• mustbeposted
  • The login module requires a POST request
• NeedToken
  • Either you did not provide the login token or the sessionid cookie. Request again with the token and cookie given in this response

Throttling [edit]

For security reasons, this module is throttled. By default, you get to login 5 times in 300 seconds, but this may vary from one wiki to another. When you exceed this limit, your login will fail (even if it's otherwise correct) with result="Throttled" and the number of seconds you need to wait in the wait field.

Examples [edit]

• Example login code in PHP (requires Snoopy)
• Example login code in PHP (using cURL) - no Snoopy required
• Example login code in JS (using JQuery)