Authentication
Configure bearer token authentication for your headless API.
Bearer Token Authentication
The Kirby Headless plugin exposes your content to the public by default. To secure your API, you can enable bearer token authentication for the KQL and custom API endpoints. This is especially useful for KQL requests, as Kirby's default KQL endpoint only supports basic authentication.
To enable bearer token authentication, set the headless.token global option in your config.php to a secret string:
config.php
return [
'headless' => [
'token' => 'test'
]
];
You will then need to include the HTTP header Authorization: Bearer {token} with every request.
The internal
/api/kql endpoint will always enforce bearer authentication, unless you explicitly disable it by setting the kql.auth option to false.Basic Authentication for KQL
If you prefer the default basic authentication method, you can still enable it by setting the kql.auth option to true. This will disable bearer token authentication, but still provide features like caching and multi-language support:
config.php
return [
// Enable basic authentication for the Kirby API (required for KQL)
'api' => [
'basicAuth' => true
],
// Default to basic authentication
'kql' => [
'auth' => true
]
];
The default KQL endpoint
/api/query always continues to use basic authentication and also derives the kql.auth configuration option.