API:Login

MediaWiki API may require your application or client to provide authenticated user credentials and login for (a) querying information or data-modifying actions (b) making large queries with a higher request-per limit.

Two methods to authenticate
There are two ways to authenticate to the MediaWiki Action API:

Method 1. login
Bots and other non-interactive applications should use owner-only OAuth consumers if available as it is more secure. If not available or not applicable to the client, the  action may be used with bot passwords.

Method 2. clientlogin
Interactive applications such as custom editors or patrolling applications that provide a service without intending to fully replace the website or mobile apps that aim to completely replace access to the web-based user interface should use the   action.

However, one should prefer using  if it is available for authenticating the tool, as it is easier and more secure.

This module is available since MediaWiki 1.27.

POST request
Obtain token login in the request above via .

Example 2: Process for a wiki with special authentication extensions
A wiki with special authentication extensions such as  (captchas), ,  (two factor authentication), may have a more complicated authentication process.

Specific fields might also be required in that case, the description of which could be fetched from the  query.

Step 3: Two-factor authentication
Note: In certain cases it's possible to receive a  response, for example if the OpenID Connect extension had no mapping for the OpenID account to any local user. In this case the client might restart the login process from the beginning or might switch to account creation, in either case passing the loginpreservestate or createpreservestate parameter to preserve some state.

Additional notes

 * On wikis that allow anonymous editing, it's possible to edit through the API without logging in, but it's highly recommended that you do log in. On private wikis, logging in is required to ng or invoking large or performance-intensive queries. With that, it is easy to track changes made by the application and apply special rights to the application's account.
 * If you are sending a request that should be made by a logged-in user, add   parameter to the request you are sending in order to check whether the user is logged in. If the user is not logged-in, an <tvar|1> </> error code will be returned.
 * To check if an account has bot rights, add <tvar|1> </> parameter to the request. If the account does not have bot rights, an <tvar|1> </> error code will be returned.