Search Our Database

Introduction

API tokens in WHM provide a secure and efficient way to authenticate API requests without relying on the root password. These tokens serve as credentials that grant controlled access to WHM’s API, allowing system administrators, developers, and automation tools to perform a wide range of administrative tasks programmatically. Using API tokens instead of traditional password-based authentication is a security best practice that also enables better permission management and auditing.

In WHM (WebHost Manager), API tokens can be generated for the root user or for reseller accounts, depending on the level of access required. Each token can be assigned a unique name and set of permissions. Once generated, tokens can be used in conjunction with WHM’s API 1 system to automate tasks such as creating accounts, suspending users, managing DNS zones, or interacting with packages.

API tokens are especially useful when integrating WHM with external systems like WHMCS, billing platforms, CI/CD pipelines, or server orchestration tools. They also offer improved security by supporting token revocation and logging, and by minimizing the need to expose the root password in automated scripts.

This guide provides a step-by-step walkthrough on how to generate a new API token in WHM and how to use it to authenticate API requests. It covers token creation through the WHM interface, formatting requests with curl, and best practices for token management.

Prerequisites

• WHM access as the root user or a reseller with API privileges.
• cPanel & WHM version 76 or higher (API tokens introduced in v76).
• Outbound internet connectivity (for remote API usage).
• Familiarity with basic command-line tools such as curl.

Step-by-step Guide

Step 1: Log in to WHM

Access your WHM interface via a browser:

https://your-server-ip:2087

Log in using the root credentials or a reseller account with appropriate privileges.

Step 2: Navigate to the API Token Interface

In the left-hand search bar, type:

Manage API Tokens

Then click on Manage API Tokens under the Development section.

Step 3: Create a New API Token

1. Click on the Create button.
2. Enter a descriptive name for the token (e.g., whm_api_whmcs).
3. Optional: Specify an expiration date or IP restrictions for added security.
4. Click Save to generate the token.

Step 4: Use the API Token with curl

Use the following format to authenticate using the token:

curl -H 'Authorization: WHM root:YOUR_API_TOKEN' \
"https://your-server-hostname:2087/json-api/function_name?parameters"

Example: List all accounts

curl -H 'Authorization: WHM root:abc123APIexampleTOKEN' \
"https://your-server-hostname:2087/json-api/listaccts?api.version=1"

Example: Create a new account

curl -H 'Authorization: WHM root:abc123APIexampleTOKEN' \
"https://your-server-hostname:2087/json-api/createacct?username=newuser&domain=newdomain.com&plan=default&api.version=1"

Step 5: View, Revoke, or Regenerate Tokens

1. Go to Manage API Tokens in WHM.
2. Use the interface to revoke, rename, or set expiration for tokens.
3. To improve security, delete unused tokens periodically.

Step 6: Secure and Audit Token Usage

• Store tokens in environment variables or secure vaults (e.g., AWS Secrets Manager, HashiCorp Vault).
• Never hard-code tokens in public scripts.
• Review logs in WHM to monitor API usage.

Conclusion

API tokens in WHM offer a secure and flexible method for authenticating API requests without using the root password. This allows developers and administrators to safely integrate and automate hosting tasks while maintaining control and visibility over API access. Regular management and auditing of tokens further enhance server security.

Should you have any inquiries about the guidelines, please feel free to open a ticket through your portal account or contact us at support@ipserverone.com. We’ll be happy to assist you further.