How to add an API Key to a RESTful endpoint in Craft CMS

A step by step tutorial on adding API keys to a RESTful Craft CMS endpoint.

Oscar de la Hera Gomez
Written by Oscar de la Hera Gomez
First published on 12/20/2022 at 07:50
Last Updated on 12/23/2022 at 08:03
A flower that represents Craft CMS. Beneath it sits the text "API Key."

A step by step tutorial on adding API keys to a RESTful Craft CMS endpoint.

The following tutorial builds on our Open Source tutorial series and demonstrates how to add an API key to an existing Craft CMS Restful API. For details on how we created our Open Source Craft CMS starter project, how to set it up or create an RESTful API, please consult the tutorials listed below.

SubscribeDownload Open Source Starter ProjectHow to create & setup a Craft CMS projectHow to build a RESTful API in Craft CMSHow to build an API that returns all the entries of a sectionHow to build an API that creates a new entryHow to build an API that modifies an entryHow to build an API that deletes an entry

We recommend downloading our Open Source project, checking out the tutorial/api branch, completing the setup listed in the tutorial linked below and carrying out the steps outlined below. All relevant changes can be found on the tutorial/api-key branch.

git clone git@github.com:delasign/craft-cms-starter.git
View GitHub RepositoryHow to setup our Craft CMS Open Source Project

Step One: Add the API Key

A screenshot of our .env file with the API Key environment variable that we created highlighted. Follow the tutorial linked below to learn how to create and use Environment Variables.

Create a new environment variable called API_Key and add a secure key.

We recommend using LastPass and generating a 32-50 character, secure string.

How to create and use environment variables in Craft CMSUse LastPass to generate an API Key

Step Two: Add the API verification to your endpoint

A screenshot of VSCode with the function offered below that verifies if the API key matches that of the API call and if not returns a 403 Forbidden error.

Complete your API endpoint by checking for the API Key in the beforeAction functionality.

Sample code on how to do so can be found below.

Step Three: Reload Modules

A screenshot of Terminal running composer dump-autoload -a.

To make Craft CMS registers the API key, run the following line in Terminal with the current directory set to that of your Craft CMS project:

composer dump-autoload -a

Step Four: Test

A screenshot of Postman showing a successful API call using the API Key.

Postman request showing the API call working.

In Postman, try hitting your endpoint with and without the x-api-key parameter, or whatever parameter you used for your API key in Step 2, as well as with the correct API key and a random string to test all scenarios.

A screenshot of Postman showing a forbidden response from an API call using the wrong API Key.

Postman request showing the API call returning a forbidden, as the wrong API key is passed in the parameter.

Any Questions?

We are actively looking for feedback on how to improve this resource. Please send us a note to inquiries@delasign.com with any thoughts or feedback you may have.

SubscribeInquireView All PostsView All ServicesView All Work

Partner with us

We would love to get to know you and see how we can help your organization with its goals and needs.
Let's Talk

Stay Informed

Get occasional updates about our company, research, and product launches.
Subscribe