Jump to content

API:Account creation/pre-1.27

From mediawiki.org

Creating accounts[edit]

You can create accounts using the API. This can be a new account for yourself, or you can create an account for someone else, with a random password mailed to that person. Account creations are recorded in Special:log/newusers. If you're logged in, your username will also be recorded when creating an account.


  • name: User name.
  • password: Password (ignored if mailpassword is set).
  • domain: Domain for external authentication.
  • token: Account creation token obtained in first request.
  • email: Email address of user (required if either mailpassword or $wgEmailConfirmToEdit are set).
  • realname: Real name of user. Many wikis have realname disabled via $wgHiddenPrefs . To check whether realname is enabled or not, request api.php?action=query&meta=userinfo&uiprop=realname. If you get no realname property back in the response, realname is a hidden preference.
  • mailpassword: If set to any value, a random password will be generated and e-mailed to the user (instead of using the password parameter).
  • reason: Reason for creating the account. Will be shown in the account creation log (example).
  • language: Language code to set as default for the user.

Extended parameters when used with Extension:ConfirmEdit (except ReCaptcha):

  • captchaid: Previously-provided CAPTCHA ID to send with followup request, if captcha was required.
  • captchaword: User-provided answer of CAPTCHA to send with followup request, if captcha was required.


To create an account, a token is required. To retrieve a token, you make the request that you want, except with the token field being an empty string. Once you retrieve the token, you make the request again with the token filled in. This is similar to how the log in module works. See the example below for details.

Unlike most API Tokens, create account tokens will only work for one request. After creating an account with this module, you need a new token before you can create another account (The success message will contain such a token)


Note: In this example, all parameters are passed in a GET request just for the sake of simplicity. However, action=createaccount requires POST requests; GET requests will cause an error.

Step 1: Retrieve token to create an account for GymBeauWhales

We should now receive a response like:

    "createaccount": {
        "result": "NeedToken", 
        "token": "387bc54bd0ec29333178800ce4213306"
If you get an error about "newcookiesfornew", it is due to a bug in early versions of 1.21. Repeating the request should fix that

We take the token given here, and add it to the request:

Step 2: Actually create GymBeauWhales account

Assuming everything works, we should get a result like:

    "createaccount": {
        "result": "Success", 
        "token": "387bc54bd0ec29333178800ce4213306", 
        "userid": 1234, 
        "username": "GymBeauWhales"

And GymBeauWhales@example.com would get an email with instructions on how to log in.


When used with Extension:ConfirmEdit, a CAPTCHA may be presented for new account creations. This is supported via extension in the API here.

When submitting per the above rules and receiving a response, you may also receive a captcha node in the return data, similar to what is sometimes returned by action=edit.

For a text-based CAPTCHA:

  "createaccount": {
    "result": "NeedCaptcha",
    "captcha": {
      "type": "simple",
      "mime": "text/plain",
      "id": "323035635",
      "question": "77+5"

For an image-based CAPTCHA:

  "createaccount": {
    "result": "NeedCaptcha",
    "captcha": {
      "type": "image",
      "mime": "image/png",
      "id": "1147869849",
      "url": "/core/index.php?title=Special:Captcha/image&wpCaptchaId=1147869849"

Be aware that the URL may be site-relative or protocol-relative.

When you receive such a response, you need to submit a third response, which is similar to the one submitted in step 2 but contains the necessary responses. By default, you should return the captcha id in the captchaid parameter, and the value (solution) of the captcha in the captchaword parameter, however some captcha modules, like ReCaptcha, use different parameters. Check the module's documentation for specifics.

As of the current code (see [1]) you won't receive the captcha prompt response until after basic validation errors have been taken care of.

Possible outputs[edit]

The result value can have one of three values (n.b., values are lower-case prior to 1.23):

  • NeedToken: A token is needed. A token parameter should also be set with a token to use.
    { "createaccount": { "result": "NeedToken", "token": "8217b293a6bd0bba84cc1cb661a06a5d" } }
    • If you get a NeedToken result when you are expecting a success result, make sure the token you are sending is correct, and that you are sending along any cookies sent by the API.
  • Success: Everything worked
    { "createaccount": { "result": "Success", "token": "8217b293a6bd0bba84cc1cb661a06a5d", "userid": 1234, "username": "Foo" } }
  • Warning: Not used in core, however extensions can (in theory) add warnings, in which case the result attribute will be warning. However, this still generally means the account was created successfully.

Possible errors[edit]

All errors are formatted as:

    "error": {
        "code": "code", 
        "info": "info"

Many of the info codes to this module correspond to system messages. As a result the info part may change and in particular will vary with language.

Code Info
nocookiesfornew The user account was not created, as we could not confirm its source. Ensure you have cookies enabled, reload this page and try again.
Note: This code is sometimes returned due to a bug in early versions of MediaWiki 1.21. If you receive this error, retrying the request (ensuring cookies are sent) should fix.
sorbs_create_account_reason Your IP address is listed as an open proxy in the DNSBL .
noname You have not specified a valid username
userexists Username entered already in use
password-name-match Your password must be different from your username.
password-login-forbidden The use of this username and password has been forbidden
noemailtitle No email address
invalidemailaddress The e-mail address cannot be accepted as it appears to have an invalid format
externaldberror There was either an authentication database error or you are not allowed to update your external account
passwordtooshort The password was shorter than the value of $wgMinimalPasswordLength
noemail There is no e-mail address recorded for user
mustbeposted The createaccount module requires a POST request
acct_creation_throttle_hit Visitors to this wiki using your IP address have created $1 accounts in the last day, which is the maximum allowed in this time period. As a result, visitors using this IP address cannot create any more accounts at the moment.
wrongpassword Incorrect password entered. Please try again.
Note: Can be caused by the "domain" field being incorrect.
aborted Aborted by an extension (info will have more details)
blocked You cannot create a new account because you are blocked
permdenied-createaccount You do not have the right to create a new account
createaccount-hook-aborted An extension aborted the account creation
captcha-createaccount-fail (With Extension:ConfirmEdit and old core) Submitted CAPTCHA answer was incorrect


To disable specifically this API feature, insert the following line in your configuration file:

$wgAPIModules['createaccount'] = 'ApiDisabled';

See also[edit]

action=createaccount (create)

(main | createaccount)
  • This module requires write rights.
  • This module only accepts POST requests.
  • Source: MediaWiki
  • License: GPL-2.0-or-later

Create a new user account.

The general procedure to use this module is:

  1. Fetch the fields available from action=query&meta=authmanagerinfo with amirequestsfor=create, and a createaccount token from action=query&meta=tokens.
  2. Present the fields to the user, and obtain their submission.
  3. Post to this module, supplying createreturnurl and any relevant fields.
  4. Check the status in the response.
    • If you received PASS or FAIL, you're done. The operation either succeeded or it didn't.
    • If you received UI, present the new fields to the user and obtain their submission. Then post to this module with createcontinue and the relevant fields set, and repeat step 4.
    • If you received REDIRECT, direct the user to the redirecttarget and wait for the return to createreturnurl. Then post to this module with createcontinue and any fields passed to the return URL, and repeat step 4.
    • If you received RESTART, that means the authentication worked but we don't have a linked user account. You might treat this as UI or as FAIL.
Specific parameters:
Other general parameters are available.

Only use these authentication requests, by the id returned from action=query&meta=authmanagerinfo with amirequestsfor=create or from a previous response from this module.

Separate values with | or alternative.
Maximum number of values is 50 (500 for clients that are allowed higher limits).

Format to use for returning messages.

One of the following values: html, none, raw, wikitext
Default: wikitext

Merge field information for all authentication requests into one array.

Type: boolean (details)

Preserve state from a previous failed login attempt, if possible.

If action=query&meta=authmanagerinfo returned true for hasprimarypreservedstate, requests marked as primary-required should be omitted. If it returned a non-empty value for preservedusername, that username must be used for the username parameter.

Type: boolean (details)

Return URL for third-party authentication flows, must be absolute. Either this or createcontinue is required.

Upon receiving a REDIRECT response, you will typically open a browser or web view to the specified redirecttarget URL for a third-party authentication flow. When that completes, the third party will send the browser or web view to this URL. You should extract any query or POST parameters from the URL and pass them as a createcontinue request to this API module.


This request is a continuation after an earlier UI or REDIRECT response. Either this or createreturnurl is required.

Type: boolean (details)

A "createaccount" token retrieved from action=query&meta=tokens

This parameter is required.
This module accepts additional parameters depending on the available authentication requests. Use action=query&meta=authmanagerinfo with amirequestsfor=create (or a previous response from this module, if applicable) to determine the requests available and the fields that they use.