PIWIK auth token grants access to all pages?!



i originally posted to the german forums, but sadly nobody answered so i hope somebody can help me here. Here’s the link to the original post: Piwik Multiuser - API Key gibt Zugriff auf alle Websites

So, my questen is the following:

I want to give access to my piwik installation (which i use for my own homepage, lets say it is called myself.com) to a friend who wants some webanalytics for his homepage (lets say friends.com, just as an example). I created a new user for him and configured a new Website with the Piwik administrator. In the next stemp i granted access to friends.com for the new user.

just for some experiments i tried configurung a testpage to track to myself.com with the auth token from the piwik user who only has access to friends.com and é voila i could track the visits. But why?

Is it normal, that piwik can use the auth key from a user to track visits to a website the user doesn’t have access to?

How would resellers solve this problem? I cannot imagine, that a reseller installs a new piwik instance for every customer.

How would i configure usage of one piwik instance for multiple users, who shall not be able to track to webpages they aren’t allowed to administrate?

Hope somebody can help me.

Thank you and greetings

PS: I am using Piwik 2.16.0


Does really nobody have an answer, or is my question not clear enough.


How do you use the auth. token? It’s not needed for the Piwik JavaScript tracker (JavaScript Tracking Client: Integrate - Matomo Analytics (formerly Piwik Analytics) - Developer Docs - v3). Its setSiteId determines which site is tracked.

The token_auth is used for, e.g., inclusion of the Piwik dashboard (or separate widgets) into a web site (e.g. the tracked one, often using a CMS plugin, such as the one for Wordpress). And some other things. Not for tracking.