The OAuth 2.0 plugin replaces static authentication with a token-based flow tied to your existing login system. Each application requests permission, receives scoped access, and operates within defined limits. No need to distribute or manage long-lived credentials across tools and services.
Tokens expire by default, can be refreshed when needed, and revoked instantly without affecting other integrations. This reduces exposure and simplifies access management.
For teams running multiple integrations, OAuth 2.0 is the practical choice for secure, maintainable access to Matomo data. Every connection is authorised, bounded, and straightforward to control.
Features
- OAuth 2.0 Authorization Server integrated with Matomo
- Manage OAuth clients via Administration → Platform → OAuth 2.0 (For Matomo Cloud it will be Administration → Export → OAuth 2.0)
- Supported grant types:
- Authorization Code (with PKCE)
- Client Credentials
- Refresh Token
- OAuth scopes:
matomo:readmatomo:writematomo:adminmatomo:superuser
- RSA signing keys for JWT tokens
- Built using league/oauth2-server
- Bearer token authentication for Matomo APIs
- Client management UI with create, edit, pause/resume, delete, and secret rotation for confidential clients
OAuth Endpoints
| Endpoint | Description |
|---|---|
/index.php?module=OAuth2&action=authorize |
Authorization endpoint |
/index.php?module=OAuth2&action=token |
Token endpoint |
Optional cleaner routes can be added:
/oauth2/authorize
/oauth2/token
Setup
-
List Clients
-
Create Client
-
Edit Client
-
List Clients
-
Pause a Client
-
Resume a client
