Kirby Tools
Hub

Authentication

Configure bearer token or basic authentication for your headless API.

Bearer Token Authentication

By default, the Kirby Headless /api/kql endpoint uses bearer token authentication. This provides a modern alternative to basic authentication for KQL requests.

Set a secret token in your config.php:

config.php
return [
    'headless' => [
        'token' => 'your-secret-token'
    ]
];

Include the token in your requests using the Authorization header:

const response = await fetch("https://example.com/api/kql", {
  method: "POST",
  headers: {
    Authorization: `Bearer ${process.env.KIRBY_API_TOKEN}`,
  },
});
Store your token securely and never commit it to version control. Use environment variables in production.

Basic Authentication

To use basic authentication instead, configure the kql.auth option. This disables bearer token authentication while keeping caching and multi-language support:

config.php
return [
    // Enable basic authentication for the Kirby API
    'api' => [
        'basicAuth' => true
    ],
    // Use basic authentication for KQL
    'kql' => [
        'auth' => true
    ]
];
The default KQL endpoint /api/query uses basic authentication and derives the kql.auth configuration option.

Installation

Install and configure the Kirby Headless plugin.

CORS

Configure Cross-Origin Resource Sharing for your headless API.