Authentication

Contents

    The Bludit API uses two tokens. Read endpoints require only the API Token; write endpoints require both the API Token and an Authentication Token.

    API Token

    A static token shared by the whole installation. Required for every request, read or write. Find it in the API plugin settings:

    Admin panel > Plugins > API > API Token

    The token can be sent in the query string (for GET and DELETE) or in the request body (for POST and PUT).

    Query string:

    GET /api/pages?token=<api-token>

    Request body (JSON):

    {
  "token": "<api-token>"
}

    Authentication Token

    A per-user token, tied to an account with the Administrator role. Required for write endpoints: create, edit, delete, settings update, image upload, and file upload. Find it in the user profile:

    Admin panel > Manage > Users > {Username} > Security > Authentication Token

    Sent alongside the API token, under the field name authentication:

    {
  "token": "<api-token>",
  "authentication": "<auth-token>",
  "title": "My new page"
}

    A request to a write endpoint without a valid authentication token returns 401 Unauthorized.

    Token rotation

    The API Token is regenerated when the API plugin is reinstalled.

    The Authentication Token is regenerated from the user's security settings. Rotating either token invalidates any clients using the previous value.

    Collaborate with us and edit this page