Managing API keys

The API keys dashboard lets you create and manage OAuth 2.0 credentials for use with the Wikimedia API.

Create a key

To create an API key, select Create key, and complete the registration form.

Create app credentials

App credentials let you build an app to publish and share. Wikimedia API requests are rate limited based on client ID, so you should create one set of credentials per app. To create credentials, select an app type, and provide a redirect URL.

  • Name: Choose a unique name to help identify your app.
  • Description: Admins use this field to evaluate your client, so include a description of how your app uses Wikimedia content.
  • Redirect URI is used by the OAuth authentication server to return users to your app after approval.

App credentials with edit permissions must be approved by Wikimedia OAuth administrators before they can be used. You can see the status of your client on the API keys dashboard. Once your app is approved, you'll receive an email from wiki@wikimedia.org.

Create a personal API token

A personal API token is tied to your Wikimedia account. It should only be used by you and should not be published or shared. To create a personal API token, select the API token key type. After submitting the form, you'll be shown a client ID, client secret, and access token. Remember to store your access token in a secure place; you won't be able to access it again through the API Portal. Personal API tokens are approved automatically.

Key status

The API keys dashboard displays the status of each key.

  • Approved keys are ready to use.
  • Approval pending keys are waiting for review and approval by Wikimedia OAuth admins. Approval usually occurs within two weeks.
  • Rejected keys have been rejected by Wikimedia OAuth admins. This is usually due to security concerns or missing or unclear information. If your key is rejected, you should receive an email from wiki@wikimedia.org with the rejection reason and steps to re-submit your key.
  • Expired keys have not been approved within 30 days. If your key is expired, please re-create the key.
  • Disabled keys have been disabled by Wikimedia OAuth admins due to security concerns or risky behavior.

Reset secrets

To reset a client secret, select View details for the key on the API keys dashboard, and select Reset client secret. This resets all provided secrets for the key, including a personal API token. Resetting a secret does not invalidate existing secrets.