Search our site for answers
Help Docs Control Panel Guides The Ultimate Guide to the WHM Control Panel (2025) Security in WHM API Tokens for Remote Access in WHM

API Tokens for Remote Access in WHM

Create and manage WHM API Tokens to allow secure, password-less remote access or to enable API functionality for your server.
3 min read

Introduction

WHM API Tokens allow remote systems and scripts to log in to your WHM server to perform administrative tasks without needing your root password. This is the modern, secure replacement for the legacy “Remote Access Key” system.

By configuring an API Token, you grant trusted external tools permission to manage your WHM server. For example, adding a valid token to your Liquid Web Account allows our system to automatically order, validate, and renew SSL certificates on your behalf.

Prerequisites

  • Root access to your WHM server.
  • The IP address of the remote system or application that will be connecting to your server (optional, but recommended for security restrictions).

Step-by-Step Instructions

Generating a New API Token

  1. Log in to WHM.
  2. Navigate to Development > Manage API Tokens. (You can also type “api” in the search bar at the top left).
  3. Click the Generate Token button.
  4. Enter a descriptive name (e.g., “Liquid Web Dashboard” or “WHMCS Billing”).
  5. Optionally, you can restrict this token so it only works from specific IP addresses.
No need to whitelist Liquid Web internal IPs
Liquid Web’s internal management IPs are whitelisted by default; you do not need to add them here.

  1. Scroll down to the ACL (Access Control List) section to set the token’s permissions.
    • Limited Access: Check only the specific boxes required for your task.
    • Full Access: If this token is for general management (like the Liquid Web dashboard), you may need to check “Everything” at the top of the list.
  2. Click the Save button.
  3. Copy the Token immediately. A box will appear displaying your new 32-character string.
Important: Copy Your Token Now
This is the only time WHM will display the full token. Once you leave this page, you cannot retrieve it again. If you lose it, you will have to revoke it and generate a new one.

  1. Click Yes, I saved my token to finish.

Managing Existing Tokens

You can modify or remove tokens at any time from the Manage API Tokens list.

  • Edit Permissions: Click Edit next to a token to change its allowed IP addresses or Access Control List (ACL) permissions. Note: You cannot view the token string here, only change its settings.
  • Revoke Access: If a token is compromised or no longer needed, click Revoke. This immediately invalidates the token, and any application using it will lose access to the server.

Next Steps

Frequently Asked Questions (FAQ)

No. For security reasons, WHM only displays the token once at the moment of creation. If you lost it, you must click Revoke on the old token and Generate a new one.

Follow the “Principle of Least Privilege.” Only check the boxes for the specific features the remote script needs (e.g., if the script only creates cPanel accounts, only check “create-acct”). If you are linking your server to the Liquid Web portal for general management, you usually need to select Everything.

Remote Access Keys were the old method for authentication in cPanel/WHM. They have been deprecated in favor of API Tokens, which offer better security controls (like IP restrictions and granular permissions).

No. This guide covers WHM API tokens for server-wide administration (root level). cPanel users can generate their own tokens for individual account management inside the cPanel interface under Security > Manage API Tokens.

Was this article helpful?