gRegorLove little g big R

IndieAuth for ProcessWire Released

IndieAuth lets you sign in to applications using your domain name and grant access to read/write to your site. This module adds IndieAuth support to your ProcessWire site, enabling two main things:

  1. Authentication: When you visit a site like and enter your domain name, you will be taken to your ProcessWire admin area to sign in and approve the request. If you approve the request, you will be returned to the site and logged in as your domain name.
  2. Authorization: When you visit an application like Quill, it needs to also get your permission to post to your site. You will be taken to your ProcessWire admin area to sign in and approve the request/scopes that the app is requesting (create, update, delete, etc.). If you approve the request, you will be returned to the app, logged in as your domain name, and the app will have an access token for your site.


  • Browse the applications you have granted access tokens to. See when each one was granted, last used, and will expire.
  • Revoke any application’s access tokens
  • Set the default expiration period for new access tokens. The initial default is 14 days.
  • Automatically remove expired tokens
  • During authorization, confirm and change the scopes granted to the application. For example, an app may request “create” and “delete” scopes, but you can grant only “create.”
  • During authorization, you can also choose to grant an access token with no expiration

Installation from Modules Directory

The recommended method is to use the ProcessWire admin area’s module interface.

  1. Navigate to Modules > New. In the Module Class Name field, enter ProcessIndieAuth
  2. Copy the template files from the module’s directory /extras/templates into your site’s /site/templates directory.
  3. Verify that the plugin installed pages:
    • IndieAuth Metadata Endpoint
    • Authorization Endpoint
    • Token Endpoint
    • Token Revocation Endpoint
    • IndieAuth page under the admin’s Access menu
  4. Look up the user(s) that you want to allow to use IndieAuth and assign them the “indieauth” role
  5. Update your home page template to add the link elements inside the <head> element:

This should result in three <link> elements in the source HTML:

    <link rel="indieauth-metadata"	href="/indieauth-metadata-endpoint/">
    <link rel="authorization_endpoint"	href="/authorization-endpoint/">
    <link rel="token_endpoint"	href="/token-endpoint/">

Sign In

To test signing in with IndieAuth, visit and enter your domain name. Follow the prompts to authenticate and you should end up back on with a success message.


The authentication prompt when signing in with IndieAuth

Sign In and Authorize

To authorize an application with IndieAuth, your site will first need a module that uses access tokens. I have a Micropub for ProcessWire module in development that does that. Micropub is a standard that lets you publish to your site using third-party clients. If you’d like to try it out, follow the instructions on GitHub to install it.

After installing, visit Quill and enter your domain name. Follow the prompts and note the additional fields for “scope” and “expiration,” since you are authorizing an application to interact with your site. After successfully authorizing, try to post a short note from Quill. Quill should redirect you to the new post if it was successful.

For a list of other Micropub clients you can try, see


The authorization prompt

Admin and Options

In the admin, you can see which applications you have granted access tokens to. You can see when each token was issued, last accessed, and its expiration. You can also manually revoke a token at any time. Navigate to: Access > IndieAuth.


The admin page displaying access tokens you have granted

There are a couple options in the admin at: Modules > Configure > ProcessIndieAuth:

  1. Default access token lifetime (in seconds): This defaults to 14 days and is what appears in the authorization screenshot above.
  2. Automatically remove access tokens after expiration (enabled by default): When enabled, the site checks approximately every six hours and removes expired access tokens. Regardless of whether this option is enabled, the module will reject any application attempting to use an expired access token. Since access tokens cannot (currently) have their expiration extended, I recommend keeping this option enabled so the admin list stays tidy and current.

Finally, this module writes some admin logs. Access those at: Setup > Logs > indieauth

More About IndieAuth

If you’re interested in more details about IndieAuth, I recommend the article “OAuth for the Open Web” by Aaron Parecki (or the video presentation). If you are interested in implementing IndieAuth in your project, see the IndieAuth specification.

View responses or leave your own response


Jamie Tanna,, Open Mentions, and 2 others

Amanda J. caarson Amanda J. caarson reposted this –

This is an older post, so the public comment form is now closed. You can still use the form above to send me the link of your reply or sign in with your email to leave a comment. You can always send me a message, too.


Proud member of An IndieWeb Webring 🕸💍