Extension:CentralAuth/API

Tokens
CentralAuth introduces three new tokens, centralauthtoken, setglobalaccountstatus and deleteglobalaccount.

centralauthtoken
CentralAuth allows your code to authenticate on the foreign wiki as the user currently logged in on the local wiki using a central authentication token . Using those, one can make API calls to any wiki participating in the same single sign-on system, guaranteeing that the same associated account will be used for actions on both wikis even if the user is not logged in on the foreign wiki (doesn't have a session cookie for that domain).

First, acquire a token using  request to the local wiki. A token is only valid for a single request, and will become invalid after 10 seconds.

Then, pass the token to any CORS request to the foreign wiki via the  parameter. When making a POST CORS request, the parameter must be part of the preflight request and thus it must be in the URL, not the POST data. You can use the mediawiki.ForeignApi ResourceLoader module to handle this for you.

setglobalaccountstatus
The preferred method to obtain a setglobalaccountstatus token depends on the MediaWiki version:
 * Versions 1.24 and later: action=query&meta=tokens
 * Versions 1.20-1.23: action=tokens

deleteglobalaccount
The preferred method to obtain a deleteglobalaccount token depends on the MediaWiki version:
 * Versions 1.24 and later: action=query&meta=tokens
 * Versions 1.20-1.23: action=tokens