TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API. 

This will break bots, gadgets and user scripts that are still using these parameters.

A significant and long delayed change to Action API is coming. API clients (user scripts, tools, etc) need to obtain 

a token before making write requests to MediaWiki over Action API. Up to MediaWiki 1.24 the action=tokens[1] 

and ‘token’ parameter in the following API endpoints were used to obtain a token:

• ‘rctoken’ in action=query&list=recentchanges [2]
• ‘rvtoken’ in action=query&prop=revisions [3]
• ‘intoken’ in action=query&prop=info [4]
• ‘ustoken’ in action=query&list=users[5]

Since MediaWiki 1.24 these module and parameters were deprecated and were emitting deprecation warnings to 

API clients. These parameters and endpoint will now be removed from MediaWiki 1.37 and from Wikimedia installation. 

To obtain CSRF tokens clients now need to use a consolidated ‘action=query&meta=tokens’ endpoint. [6]

Please respond to this email if you have any concerns or questions about this change.

Petr Pchelko

Staff Software Engineer

Platform Engineering Team at WMF

[1] https://en.wikipedia.org/w/api.php?action=help&modules=tokens

[2] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brecentchanges

[3] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brevisions

[4] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Binfo

[5] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Busers

[6] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Btokens