WHMCS API (2.0.0)

WHMCS API is organized around Representation State Transfer (REST) and is designed around the use of resources. It expects standard HTTP verbs like GET, POST, PUT, and DELETE and returns HTTP response codes and JSON-encoded responses. To get started with the API, make sure that your system is running at least WHMCS 9.0.0-rc.1, and you have created product groups, products, and at least one user account.

Examples provided by this document use cURL, but you can make the API calls in any programming language.

WHMCS API may use different authentication methods for different areas of the API.

For store and cart operations, use an X-Api-State header if a cart is associated with a logged-in user.

• X-Api-State represents a state of the cart.
• Each response will return a new value.
• Each request must include the latest X-Api-State header.

For example, a request with the X-Api-State header:

curl -X GET --location "https://example.com/api/v2/cart/TLlowSWlQjGkGrC1/totals"
  -H "X-Api-State: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvd2htY3MtZGV2LnRlc3RcLyIsImF1ZCI6Imh0dHBzOlwvXC93aG1jcy1kZXYudGVzdFwvIiwiZXhwIjoxNjQ3NTYzMzI3LCJzdWIiOltdLCJ3aG1jc191c2VyIjoiMzlhNDA0NTFlOGE4NjhhZWI4NjExYzEwNGE5OTYwMzk2NmM2MmIyMzg0YWYyYjc4OWJhOGU2YmYxYWVhYjMzYSJ9.B4-Ug6AcVCI52woiW9dF_ylYZXf57e32RSk_7S78Z9M"

With payload:

curl -X POST --location "https://example.com/api/v2/cart/6isLR0SAB0TbCiws/promotion"
  -H "Content-Type: application/json"
  -H "X-Api-State: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvd2htY3MtZGV2LnRlc3RcLyIsImF1ZCI6Imh0dHBzOlwvXC93aG1jcy1kZXYudGVzdFwvIiwiZXhwIjoxNjQ3MzkyODM1LCJzdWIiOltdLCJ3aG1jc191c2VyIjoiMzlhNDA0NTFlOGE4NjhhZWI4NjExYzEwNGE5OTYwMzk2NmM2MmIyMzg0YWYyYjc4OWJhOGU2YmYxYWVhYjMzYSJ9.LfYOrxW5OOtdcfyDOuIa6B0dTytYROMrccqpywxvAB8"
  -d "{\"code\":\"CARTAPI\"}"

To log in, you must include the user's email address and password.

For example:

curl -X POST --location "https://example.com/whmcs/api/v2/user/session"
  -H "Content-Type: application/json"
  -d "{\"email\":\"[email protected]\",\"password\":\"pwd123456\"}"

If the user has enabled Two-Factor Authentication, send an additional request to verify the Two-Factor Authentication token before authenticating the user.

For example:

curl -X POST --location "https://example.com/whmcs/api/v2/user/session/verify"
  -H "Content-Type: application/json"
  -H "X-Api-State: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvd2htY3MtZGV2LnRlc3RcLyIsImF1ZCI6Imh0dHBzOlwvXC93aG1jcy1kZXYudGVzdFwvIiwiZXhwIjoxNjQ3NDQwMzc5LCJzdWIiOiI1MzJlZmM4ZmI5NzA2NDQ4ZDZkMDMwMTc1ZmFlY2U3N2QxN2E5OGRjN2FkNTZlZWZhZmZjYTRmNzY2ZDJiZjE4In0.Igj9Kby5FR5m4w03x92NwuKviCLRQBQUaLbaXTqQ9kc"
  -d "{\"fields\":{\"key\":\"417339\"}}"