Skip to main content
API tokens are how you let scripts, monitoring tools, deployment runners, or anything else outside cPanel call the cPanel API on your behalf. The token replaces your password when calling UAPI or WHM API endpoints, and you can revoke it any time without changing your login password. Open it from cPanel home → SecurityManage API Tokens.
API Tokens page with active tokens and the Generate button

Generate a token

1

Click Create

The token form opens.
2

Give it a name

Pick a name that tells future-you what the token is for: deploy-runner-prod, uptime-check, wp-toolkit-backups. Names are free-form; only you see them.
3

Set an expiry (optional)

Pick a date the token should stop working on. Leave blank for a token that lives until you revoke it manually. For a one-off job, an expiry is the safer default.
4

Click Create

cPanel shows the token string once. Copy it now. It’s not shown again, and there’s no way to retrieve it later. If you lose it, generate a new one and revoke the lost one.
Generated API token shown once after creation

Use a token

Pass the token in the Authorization header on every API call. Format: Authorization: cpanel <username>:<token>. 
curl -H "Authorization: cpanel myuser:ABCDEF1234567890" \
  "https://your-server.example.com:2083/execute/Email/list_pops"
You can also pass it as --user: 
curl -u myuser:ABCDEF1234567890 \
  "https://your-server.example.com:2083/execute/Email/list_pops"
The token authenticates as your cPanel user. It can do anything you can do in the UI, with no scope filter on the cPanel side.

Revoke a token

The list at the bottom of the page shows every active token with a Revoke action. Click it. The token stops working immediately. Anyone holding it gets 401 Unauthorized on the next call. Edit a token instead of revoking if you only need to change the name or the expiry.

What the token list shows

Each row in the token list has:
  • Name. What you typed at creation. Editable.
  • Created. Timestamp the token was issued.
  • Expires. The expiry date you set, or Never.
  • Last Used. Last time the token authenticated a request. Useful for spotting tokens that nothing is actually using, those are safe to revoke.

Common patterns

One token per integration

Don’t reuse a single token across multiple tools. If one leaks, you can revoke it without breaking the others. Naming convention helps: <tool>-<env>-<purpose>.

Short-lived tokens for CI

Generate a token at the start of a deploy, set the expiry one day out, run the deploy, let it expire. Even better, revoke it at the end of the run. No long-lived secret sitting in a CI variable.

Pair with WHM IP whitelisting

If a token is for a machine with a static IP (a deploy box, an uptime monitor), set the whitelist to that IP. A leaked token from anywhere else is useless.

Common issues

Three usual causes: token typo, wrong username, or the token has been revoked. Compare the token against what you copied at creation; if you can’t, generate a new one.
cPanel API tokens are different from WHM API tokens. cPanel tokens are managed in this tool, scoped to your cPanel account; WHM tokens are managed by the server admin via WHM. On Noxity shared hosting, you only have cPanel API access.
cPanel doesn’t store the plaintext token, only a hash. There’s no recovery. Generate a new one, revoke the lost one.
Not in the cPanel token UI. The token can do anything the user can. Treat each token like a full credential and rotate often.

Need a hand?