Get started

Authentication

Token authentication and authenticated request behavior

OAuth2 support is planned for the future. For now, third-party integrations should use API tokens.

Since August 2025, Wynncraft Accounts introduced API features for authenticated users, including user-based caching and authenticated throttling.

The authentication system currently supports two user types:

TypeDescription
SESSIONWynncraft website session-cookie authentication. This is not intended for third-party applications.
TOKENThird-party-friendly authentication using an API token and the Authorization header.

Creating Tokens

You can create up to 3 authentication tokens from your Account Dashboard.

Each token is independent. For example, 3 tokens give each token its own authenticated rate limit per bucket.

When creating a token, provide:

  • A name. This cannot be changed later.
  • A description.

The token value is only shown once during creation. Store it securely.

Public Tokens

Tokens can be set to Public Mode.

A public token:

  • Acts as an authenticated guest.
  • Hides your personal data and stats unless you made them public.
  • Is recommended for public applications.

Use this mode when a token is used by public commands to avoid potential privacy leaks.

Token Deletion

You may delete one token every 2 minutes. This prevents deletion abuse to bypass rate limits.

Token creation is not rate-limited.

Authenticating Requests

Authenticated requests use the Authorization header:

1Authorization: Bearer <token>

Never share your account tokens with anyone.