Whoami API

Add Whoami endpoint to Flarum

Compatible with Flarum v1.8.5

Latest release v1.0.0


released on Nov 7, 2023


Whoami API by Vimar

MIT license

This extension adds a new endpoint "/api/whoami" which exposes the data of currently logged-in user. By using this route with the POST /api/token route, you can use Flarum as an identity provider for your site.


Install manually:

composer require vimar/flarum-whoami


composer update vimar/flarum-whoami
php flarum migrate
php flarum cache:clear

Tutorial for Flarum Authentication


To emulate a login statement to Flarum, we just call the Flarum POST /api/token in order to crate a token for registered user:

POST /api/token HTTP/1.1

    "identification": "John",
    "password": "pass7word",
    "remember": 1

HTTP/1.1 200 OK

    "token": "YACub2KLfe8mfmHPcUKtt6t2SMJOGPXnZbqhc3nX",
    "userId": "1"

then we store this token as a cookie (eg: flarum_token) for future use (by default an access token lasts 1 hour unless you add the remember parameter, in which case it lasts for 5 years.).

Note: To enable SSO between our website and flarum, we need to store a session_remember token as flarum_remember cookie too;

Verify logged-in user profile

Now, each time we want to know if an user is logged-in, we only need to call the following endpoint:

POST /api/whoami HTTP/1.1
Authorization: Token YACub2KLfe8mfmHPcUKtt6t2SMJOGPXnZbqhc3nX

HTTP/1.1 200 OK

    "data": {
        "type": "users",
        "id": "4",
        "attributes": {
            "username": "John",
            "displayName": "Jon Doe",
            "slug": "John-Doe",
            "joinTime": "2003-04-02T20:29:29+00:00",
            "discussionCount": 125,
            "commentCount": 2799,
            "canEdit": true,
            "canEditCredentials": true,
            "canEditGroups": true,
            "canDelete": true,
            "lastSeenAt": "2023-11-07T09:43:13+00:00",
            "isEmailConfirmed": true,
            "email": "[email protected]",
            "markedAllAsReadAt": null,
            "unreadNotificationCount": 0,
            "newNotificationCount": 0,
            "preferences": {
            "isAdmin": true,
        "relationships": {
            "groups": {
                "data": [
                        "type": "groups",
                        "id": "1"
    "included": [
            "type": "groups",
            "id": "1",
            "attributes": {
                "nameSingular": "Admin",
                "namePlural": "Admins",
                "color": "#B72A2A",
                "icon": "fas fa-wrench",
                "isHidden": 0


To logout, we need to delete our session cookie (containing access token) and eventually purge all of them on Flarum by calling

© 2024 Hyn by DaniĆ«l "Luceos" Klabbers. All rights reserved. · Extensions and extension information is provided by the respective (copyright holding) authors. · Extiverse is not affiliated to the Flarum project or Flarum foundation. · Images on Extiverse pages are from Unsplash.