NoPass pageDocumentation

Getting started

To use noPass, you will need to have a noPass account and a API Key pair.
Once you have created your noPass account and you have successfully logged into this account,
you will be able to generate a new site label in the so called "Developer area".
For each generated site-label, a new API Key pair will be generated. Once generated this site Label you can access the information and settings by clicking on the "manage" button that comes with the same line as the new site label.

The generated API Key pair is Unique to the domains you specify at he bottom of the management page.
When your site is running multiple top level domains, it could come in handy to specify multiple domains.

The api will not work on domains that are not specified.

Adding owners, by email, will allow other people to manage this specific label as well.

Display the API (client side)

Here we will explain how to display the API widget on your webpage.

To display the widget onto your webpage, you will only need two simple lines of code.
These lines are also visible in the developer area.

You need to load the JavaScript resource and a "mhwd-nopass" tag. The "mhwd-nopass" is a DIV element with a class named "mhwd-nopass" and your site key in the "data-sitekey" attribute.

The following code will show you an example:
		<title>noPass demo: my web page</title>
		<script src=""></script>
		<form action="?" method="POST">
			<div class="mhwd-nopass" data-sitekey="your_site_key"></div>
			<input type="submit" value="Submit">

The script must be loaded using the HTTPS protocol and can be included from any point on the page without restriction.

To automatically submit the form after the authentication has been approved, you can add the "submit-form" tag in the DIV element. The div element will now look like:
<div class="mhwd-nopass" data-sitekey="your_site_key" submit-form="true"></div>

Verify the authentication (server side)

After each authentication you can verify the authentication on the server side using PHP.
When the authentication has been solved by the user, a new field will be added to the html form and can be resolved by the name "nopass-session".

First of all you need to make an API Request.

Post Parameter Description
secret Required. The shared "secret" key between your site-label and noPass.
nopass-session Required. The user session token provided by the noPass to the user and provided to your site in the "nopass-session" POST.
remoteip Optional. the User's IP address.

API Response:

The response is a JSON object:
	"connection_status": true|false,	//Whether the given data is correct or not
	"success": true|false,			//Authentication => approved or rejected
	"account": [nopass_email, email],	//The email the user has used to authenticate

We strongly recommend using the nopass_email to insert into your database. This email will always remain connected at the specific noPass account and cannot be changed. The normal email CAN be changed.

Example code:

	$url = '';
	$secret = 'my_secret_key';
	$nopass_session = $_POST['nopass-session'];
	$remoteip = $_SERVER['REMOTE_ADDR'];
	$data = array(
		'secret' => $secret, 
		'nopass-session' => $nopass_session,
		'remoteip' => $remoteip
	$options = array(
		'http' => array(
			'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
			'method'  => 'POST',
			'content' => http_build_query($data),
	$context  = stream_context_create($options);
	$response = json_decode(file_get_contents($url, false, $context));
	if($response->connection_status == true) {
		//Data correct
		if($response->success == true) {
			//authentication approved
			$email = $response->account->email;
			$email2 = $response->account->nopass_email;
		}else {
			//authentication rejected
Last update: March 2, 2016