Two-Factor authentication (2FA) requires an additional security code to log in to cPanel & WHM. A smartphone with a supported time-based one-time password (TOTP) app provides the security code.
- We introduced this feature in cPanel & WHM version 54.
- API calls that use a method that includes a URL must use the correct port:
2082— Unsecure calls to cPanel's APIs.
2083— Secure calls to cPanel's APIs.
2086— Unsecure calls to WHM's APIs, or to cPanel's APIs via the WHM API.
2087— Secure calls to WHM's APIs, or to cPanel's APIs via the WHM API.
2095— Unsecure calls to cPanel's APIs via a Webmail session.
2096— Secure calls to cPanel's APIs via a Webmail session.
Function not founderrors if they use an incorrect port number.
- This document only includes cPanel & WHM authentication methods. For Manage2 authentication information, read our Guide to the Manage2 API API documentation.
2FA with session-based authentication
This script sends the OTP once to establish an authenticated session, and then performs all of the API calls within that session.
Example Perl Script
This script requires the
LWP::Protocol:https module. If you attempt to run this script, you must first run the
/scripts/perlinstaller LWP::Protocol::https command to install the module.
Example PHP script
2FA with non-session-based authentication
This script allows you to perform API calls without the need to establish a session, but requires you to send the OTP token with every request in the
X-CPANEL-OTP header. This script also requires that you know the 2FA secret in order to generate the required tokens.
Example Perl script