---
title: "Authentication"
url: "https://adaptocms.com/docs/authentication/"
source: adaptocms.com
---

# Authentication

## API Key Authentication

All Public API endpoints require an API key passed via the `x-api-key` HTTP header. This key identifies your tenant and authorizes read access to your published content.

```
x-api-key: YOUR_API_KEY
```

### Obtaining an API Key

API keys are managed from the Adapto CMS dashboard. Navigate to your tenant settings and generate a new public API key. Each key is scoped to a single tenant.

### Usage Example

#### cURL

```
curl -X GET "https://public-api.adaptocms.com/v1/articles" \
  -H "x-api-key: YOUR_API_KEY"
```

#### JavaScript (fetch)

```
const response = await fetch('https://public-api.adaptocms.com/v1/articles', {
  headers: {
    'x-api-key': 'YOUR_API_KEY'
  }
});
const data = await response.json();
```

#### Python (requests)

```
import requests

response = requests.get(
    'https://public-api.adaptocms.com/v1/articles',
    headers={'x-api-key': 'YOUR_API_KEY'}
)
data = response.json()
```

## Security Best Practices

-   **Environment variables** — Store your API key in environment variables, not in source code.
-   **Server-side calls** — For sensitive applications, proxy API calls through your backend to avoid exposing the key in client-side JavaScript.
-   **Key rotation** — Rotate your API keys periodically from the dashboard.
-   **Read-only access** — Public API keys only grant read access to published content. They cannot modify, create, or delete any data.

## Authentication Errors

If the API key is missing or invalid, the API returns:

Status Code

Description

`401 Unauthorized`

API key is missing from the request.

`403 Forbidden`

API key is invalid or does not have access to the requested tenant.

```
// Example error response
{
  "detail": "Invalid or missing API key"
}
```
