This is a very simple "Hello world" program to show how to use OAuth. If you so desire, you may download this file. For a more end-user friendly version, look at enduser.php.


OAuth is a method for your application to act on behalf of a user on a website, without having to know the user's username and password. First your application is regisetered with the website, then you send the user to a special page on the website where they give your application permission, and then you provide special HTTP headers when accessing the website.

Creating your consumer

To be able to use OAuth in your application, you first need to register it as a consumer. To do this, you visit Special:OAuthConsumerRegistration on the OAuth central wiki. For WMF wikis, this is currently

On this page, you will fill out information required by your application. Most of the fields are straightforward. Of the rest:

After submitting your registration request, you will be returned a "consumer token" and a "secret token". In this Hello world program, these go in your ini file as consumerKey and consumerSecret. Note you can later update the Usage restrictions and Public RSA key, and can reset the secret token.

Your application must then be approved by someone with the "mwoauthmanageconsumer" user right.

Authorizing a user

When a new user wishes to use your application, they must first authorize it. You do this by making a call to Special:OAuth/initiate to get a request token, then send the user to Special:OAuth/authorize. If the user authorizes your app, the user will be redirected back to your callback URL with the oauth_verifier parameter set; you then call Special:OAuth/token to fetch the access token.

Deauthorizing a user

A user may revoke the authorization for the application by visiting Special:OAuthManageMyGrants on the OAuth central wiki.

Identifying a user

OAuth itself doesn't provide any way to reliably identify a user to the consumer. The MediaWiki OAuth extension can be queried for a JSON Web Token attesting to the identity of the authorized user.

Try it out!