Feature Requests
Share ideas, discuss and vote on requests from other users in community

Multiple access keys (External API)

Katamaze shared this idea 7 years ago

WHMCS doesn't support multiple access keys so you are forced to use a single access key for everyone (clients, apps, resellers, partners) which means that you can't allow them to use API functions at all because they'll have access to the entire system. This happens because WHMCS gives full administrative permissions to everyone which is using the API. So what's the point of the API system if you are forced to only use it for "root" stuff?


Let's say that i made an app to allow my customers to manage their domains. The enormous problem is that WHMCS API system always run with full administrative permissions then a client could send API requests even for services and domains of other clients. Potentially he could unlock domains, get EPP codes and transfer them, download all invoices, see our balance, clients, servers, read, answer and close tickets, add and remove payments, create, suspend, unsuspend and terminate hosting, renew domains etc.

With a big amount of time spent on coding, i managed to skip this issue on top before the API functions gets executed but it would relatively simple to include this function in WHMCS.

1) We simply need to apply filters and block certain commands, based on the specific access keys, before WHMCS execute them and sends XML/JSON responses. This can be done allowing multiple access keys. Then with a relative small amount of code we can apply "filters" to limit "root" permissions.

2) Later WHMCS Staff could also consider to create an API management page inside the back-end. This page would be used to enable/disable certain commands for each individual access key. For example you can enable only "openticket" action for an app which is used just to send tickets and "getinvoice, getinvoices, getclientsdetails" for your accountant or external billing software.

Comments (2)


I need this feature also. Any updates ?


Hi all,

Thanks for your suggestion and votes.

I'm pleased to advise that in version 7.2 we added API Authentication Credentials and API Roles which allow for fine-grained control over precisely which API commands can be run by a particular credential pair.

There is also a UI in the admin area under Setup > Staff Management > API Credentials for management of credentials and API permissions.