Not a developer? Go to


Magic Tokens

“Magic Tokens” are used by Movable Type as a security precaution.

One common technique used by hackers is called a “replay attack” where they intercept a request from a session and are then able to resend it after making slight modifications to it. Magic tokens, which contain an encrypted timestamp, can be transmitted with a request and then subsequently verified to make these types of attacks more difficult.

Developers building plugins for Movable Type are strongly encouraged to generate and then validate a token with every form submission. The following are the methods you will need to familiarize yourself with:


Creates a new “magic token” string that can be embedded into a form as an input parameter. It should be used in conjunction with validate_magic to ensure that the


Checks for a magic_token HTTP parameter and validates it for the current author. If it is invalid, an error message is assigned to the application and a false result is returned. If it is valid, it returns

return unless $app->validate_magic;

To populate a form with a valid magic token, place the token value in a hidden form field:

<input type="hidden" name="magic_token" value="<mt:var name=MAGIC_TOKEN>" />

If you’re protecting a hyperlink, add the token to the query parameters for that link.