Migration to API Token

[shazde]

Hi,

We have some plugins that use .accesshash file to authenticate as a user and make API calls.
The way this works is that if there is no .accesshash file in the user home directory we generate the file and then use the content to authenticate against WHM.

Unfortunately with whm 66 there .accesshash is now disabled and we have to use API Tokens.

I have checked all the documentation and it seems the only way to generate API token is to do that manually which is not helpful at all.

How can we generate API tokens on our WHM server for each one of the users automatically ?

 

[Travis]

Hello Shazde,

We deprecated Access Hashes because they had some security concerns we wanted to address.
You can generate an API Token through the API using the create api_token_create call:
WHM API 1 Functions - api_token_create - Software Development Kit - cPanel Documentation

A few big differences between the Access Hash system and the API Token are:

• Keys are no longer stored in plaintext
• Keys are no longer stored in the users home directory
• When a key is created the key is displayed just once. After which is stored in a nonreversible encrypted format. You will be unable to see the key again, so please store it somewhere safe.
• As of cPanel & WHM version 68, keys can be created with limited permissions (Manage API Tokens - Version 68 Documentation - cPanel Documentation)

I hope this helps solve your issues. Please feel free to let me know if you need additional help!

 

[shazde]

Hi Travis,

Thank you for your response. I have already checked that API and I do not think that does the job that we need unless I am missing something.

With that API call we can create token for another user if we are already logged/authenticated as that user.

What we need is a way for root user (which can already have its token setup manually) to create token for other users and then use those tokens to make API call as those users.

Unless there is a way to pass username to that api call which is not documented, I do not see how that can help.

Can you please suggest a way to achieve our objective (which I assume is needed for any serious whm development)

 

[cPanelMichael]

What we need is a way for root user (which can already have its token setup manually) to create token for other users and then use those tokens to make API call as those users.

Hi @shazde,

If i understand correctly, you'd like to first authenticate as "root" to create an API token for another user. To do this, you'd simply use the following WHM API 1 function while authenticated as the "root" user:

WHM API 1 Functions - api_token_create - Software Development Kit - cPanel Documentation

EX (this is through the command line but you could set this up in a script as well):

whmapi1 api_token_create token_name=subway

This will create a separate API token for use by another user (e.g. the reseller). Once you have the token, you can use it for API authentication. Here's a document with PHP and Perl examples on how to authenticate with the acquired API token:

Guide to API Authentication - API Tokens - Software Development Kit - cPanel Documentation

Keep in mind that you can only use API tokens with the following features at this time:

WHM API functions
DNS Clusters
Configuration Clusters

Thus, you can't authenticate with API tokens for the purpose of using UAPI or cPanel API 2 functions at this time, if that's your intention.

Thank you.

 

[shazde]

Hi @cPanelMichael,

Unfortunately that doesn't do the work.

When I run

whmapi1 api_token_create token_name=subway

I get a token that is only valid for root and I can only use it to make calls as root.

Making API calls with that token and changing the username the way it is suggested in that link does not work and get rejected.

 

[cPanelMichael]

Hello,

Upon testing, it's true the "whmapi1 api_token_create" WHM API 1 command is only usable by the "root" user, and thus you can't use this WHM API 1 function to create an API token for a reseller user. You'd need to access WHM as the reseller user and browse to "WHM Home » Development » Manage API Tokens" to create an API token for a reseller. I recommend opening a feature request for the ability to create API tokens via the command line as non-root users if that's the functionality you are seeking:

Submit A Feature Request

Thank you.

 

[luissquall]

Hi,

For anyone looking into this issue, someone open a feature request to add an username parameter to `api_token_create`: root to be able to manage all user's tokens with api_token functions

 

[shazde]

Unfortunately because of this cPanel API is no longer capable of doing most our automation needs and we had to stop upgrading cpanel versions.

This is a very serious issue that an option get deprecated and yet no alternative is provided.