Extension:Third party session verification

The third party session verification extension allows other backend services to verify that a user is logged in.

Getting a token
Your user receives a token by making a request to.

Or, using the MediaWiki JavaScript API:

The response is on the form:

Tokens are only given to logged in users. The token encodes the user ID and the timestamp.

Verifying the token
Any service can now use the token to verify that a user is logged in. This extension does not prevent the same token from being verified multiple times, but you could keep track of used ones in your backend.

There is no time limit for tokens, but the parameter  is returned, so your service can opt to refuse old tokens.

To verify a token, send it to. The response is on the form:

You can now be certain that the user with the ID 392 was logged in when they said they were. You can now use API:Users to find information about the user with this user ID, such as their username and user rights.