3.4.0 supposed to come with Rest API but appears not to


According to what I’ve read on the PHPList plugins page for the old REST API, 3.4.0+ comes with the new REST API. However, it doesn’t really. Here are the only contents of the /lists/admin/plugins directory from the default 3.4.0 install:
CKEditorPlugin Common fckphplist
CKEditorPlugin.php CommonPlugin fckphplist.php
COPYING.txt CommonPlugin.php inviteplugin.php
CaptchaPlugin SegmentPlugin subjectLinePlaceholdersPlugin.php
CaptchaPlugin.php SegmentPlugin.php

Any advice on why it doesn’t come with the REST API? Which REST API is currently the one I should be using? I also saw that the newer version of the REST API appears to be in alpha still, so it seems like either I’m missing something, or it’s a bit premature to mark the old one as deprecated.

Can you advise?


@davewbtdc The new REST API comes in the lists/base directory - it’s not a plugin, unlike the previous one. It’s a separate application that shares the same database.

The separate application is phpList 4 - a rewrite of phpList using Symfony, Doctrine, and Composer. In time phpList 4 will take over other functionality of phpList 3 as well.

The previous API is marked depreciated not because of the release of the new one, but because it hasn’t been maintained in a long time (years). Therefore it may not be safe to use.

You should use the new REST API because that is under active development and will continue to grow in capability in future releases. Any contributions to that api would also be greatly appreciated. You should find it well documented and tested via CI which you can see on GitHub.

Hope that helps.

Thanks for the quick response. Can you point me to the up-to-date documentation and examples for the new REST API? I’d like to make sure I’m looking at the right info on its use.


Here’s an example implementation of the new API in PHP:

This example is not working for me.

First it was complaining about the SSL certificate in my dev environment because it was self-signed. I changed the form_params for the client request to look like this:
$reqParams = array(
‘form_params’ => array(
‘login_name’ => $this->username,
‘password’ => $this->password,
if ($ignoreSSL) {
$reqParams[‘verify’] = false;

Now when it posts the request to start the session, it gets the error:
[24-Mar-2019 19:29:35 UTC] API ERROR: 401: Client error: POST https://my-server.com/lists/base/public/api/v2/sessions resulted in a 401 Unauthorized response:


However, I can use the username and password it’s using to log in directly. This is with the rest connection account I’m using “restApiAdmin” having all permission boxes checked but NOT being a super-admin.

If I change that account to super-admin, it gives me this error instead:
[24-Mar-2019 19:35:25 UTC] API ERROR: 500: Server error: POST https://my-server.com/lists/base/public/api/v2/sessions resulted in a 500 Internal Server Error response:
{“code”:500,“message”:“Internal Server Error”}

These errors are appearing in my WP error_log where I’m logging them. However, I can’t find your error logs anywhere in the file system and nothing of note is showing up in the GUI “Log of Events.”

I even changed to a password that would have no special characters in it, in case something was choking on certain special characters in the password. That didn’t seem to help.

Please advise.

1 Like

Also, this new example looks like it no longer uses the “secret for remote processing” like the old REST API did. Is that correct?

Please make sure to enable the REST API and logging.

As Xheni says it looks like the api isn’t yet enabled. Ditto logging.

As I recall, only super admins are currently allowed. @xheni can confirm.

1 Like

Yes that’s correct. Either the API is enabled or disabled, and if you have login credentials for a super admin account then you can authenticate a new session and get a key for making requests.

Thanks for the replies, all. Sounds like this is another opportunity to make things more user-friendly.

Also, I’ve noticed twice now that the emails from the system say that you can reply to the email, but when you do, the email bounces. Here’s the error I just got from trying to reply by email:

The response from the remote server was:

554 5.7.1 <discuss+reply+7753294b07449c71bb5b0fb9099bcb5d@discuss.phplist.org>: Recipient address rejected: Access denied|


Also, is it really required to have a super-admin account for REST API access? It seems to break the rule of least privilege to allow your REST API user to also create new admin accounts (or even to log in via the web interface at all, for that matter). I would think that just checking all the boxes and not making the account a super-admin would be better from a security perspective, but I’m not sure what else that would imply in terms of your codebase.

I hate to be a pain, but I noticed in the config_modules.yml file the very first line says:

# This file is autogenerated. Please do not edit.

Is there a way to enable the REST API without editing this file? When, if ever, will my changes to this file be overwritten?


You mean enabling the API by default? Or documenting it?

Thanks; yes it’s a problem that will hopefully be resolved this week.

@davewbtdc The REST API is disabled by default for this release as it is beta, and should be used for testing only at the moment.
The changes to this file would be overwritten in the next release, but in future releases, it will be shipped enabled by default and therefore would require no changes.


I’m up to the part where I try to add a subscriber and it’s not working. Specifically, your RestAPIClient example here has no example on how to add a subscriber, or any other POST calls other than the first session creation:

Can you provide an example of how to add a subscriber? To make matters a bit more confusing, the documentation here uses CURL directly instead of Guzzle, which is what you use in the example above.

While I wait for your response I guess I will try it the CURL way instead of the Guzzle way in your other example. Thanks again, and sorry to keep bugging you! I really want to make it so I can use PHPList with WPMUDev’s Hustle Opt-in module, but it’s proving trickier than I imagined to integrate with your API so far…


1 Like

Hi @davewbtdc , I haven’t included every API call yet in the example, but will do so and let you know.

Thanks. I did get it working with the CURL example I found, so I guess I will just use all the CURL calls instead of the Guzzle calls.

1 Like

OK, clearly I’m relatively new to Symphony. I realize you don’t have all the API endpoints documented yet and examples created yet. That’s fine. Is there a way I can poke around in the code to find the endpoints available?

Specifically, I have successfully added a subscriber, but I can’t figure out how to add the subscriber to a list. That example doesn’t exist here yet (https://documenter.getpostman.com/view/3293511/phplist-4-rest-api-demo/RVftkC9t#f40e6c04-12b6-a041-3e02-39c81f063010). I would be happy to poke around on my own in the code if you could give me a hint as to how to decipher the available REST endpoints.

I do see that the Subscriber model has a public function called setSubscribedLists, but I’m not sure how or where I would call that. I tried adding it to the initial post data when adding the subscriber like this and it didn’t work:
$dataToPost = [
‘email’ => $data[‘email’],
‘confirmed’ => true,
‘blacklisted’ => false,
‘html_email’ => true,
‘disabled’ => false,
‘subscribed_lists’ => array($list_id)
Instead of ‘subscribed_lists’ I also tried ‘subscribedlists’ and just ‘lists’. None of those worked either.

Please advise.

For the new REST API, you can find the documentation of all routes that currently are available here:

Hope this helps,


1 Like