MediaWiki's authentication layer is getting a major overhaul. For more
details see the announcement "MediaWiki authentication changes" sent to
wikitech-l; this email will repeat the portion relevant to bots. If you
maintain an interactive application that uses API login, the details of how
this will affect you aren't yet finalized; see the announcement on
wikitech-l for more, or wait for a future announcement to this list once
the details are available.
The "thinks will break" date has not yet been decided, but the goal is to
have it ready by the end of February.
*TL;DR:* Switch your bot to OAuth if possible, or look at
Special:BotPasswords (being deployed next week on WMF wikis) to set up a
new username+password for your bot to use with action=login in the future.
The new authentication features mean that unattended login might no longer
work since the login flow will now natively support user interaction: the
account might have 2-factor enabled, or might need a password reset, or
some other thing that requires user interaction. We've created two ways to
work around this:
- If possible, switch to OAuth. This week (1.27.0-wmf.10) "owner-only"
consumers are being rolled out to make this easier for bot operators: log
into your bot account, go to
and create a consumer with the "This consumer is for use only by MyBotName"
checkbox checked.The consumer will be approved for use immediately, no
waiting or trying to find someone who can approve the consumer for you.
Owner-only consumers also don't tag every edit, since all the edits will be
from the one account anyway.
- If you need to continue using the existing action=login, next week
(1.27.0-wmf.11) we're rolling out Bot Passwords. This is something like
OAuth-lite, or Google's application passwords: go to Special:BotPasswords,
set one up, and then use new bot-password username and password to login as
you've always done (no code changes, just update your bot's configuration).
It's already live in Beta Labs if you want to test it out.
action=login with the "main" account password might still continue to work
after the new AuthManager is deployed, as long as nothing requires user
For bots that run on third-party wikis, Bot Passwords are in core and are
enabled by default, but it's possible a wiki could disable them. OAuth is
an extension that the wiki may or may not have installed.
Brad Jorsch (Anomie)
Senior Software Engineer