Authentication
Authentication
API Key Authentication
All Public API endpoints require an API key passed via the x-api-key HTTP header. This key identifies your tenant and authorizes read access to your published content.
x-api-key: YOUR_API_KEYObtaining an API Key
API keys are managed from the Adapto CMS dashboard. Navigate to your tenant settings and generate a new public API key. Each key is scoped to a single tenant.
Usage Example
cURL
curl -X GET "https://public-api.adaptocms.com/v1/articles" \
-H "x-api-key: YOUR_API_KEY"JavaScript (fetch)
const response = await fetch('https://public-api.adaptocms.com/v1/articles', {
headers: {
'x-api-key': 'YOUR_API_KEY'
}
});
const data = await response.json();Python (requests)
import requests
response = requests.get(
'https://public-api.adaptocms.com/v1/articles',
headers={'x-api-key': 'YOUR_API_KEY'}
)
data = response.json()Security Best Practices
- Environment variables — Store your API key in environment variables, not in source code.
- Server-side calls — For sensitive applications, proxy API calls through your backend to avoid exposing the key in client-side JavaScript.
- Key rotation — Rotate your API keys periodically from the dashboard.
- Read-only access — Public API keys only grant read access to published content. They cannot modify, create, or delete any data.
Authentication Errors
If the API key is missing or invalid, the API returns:
| Status Code | Description |
|---|---|
401 Unauthorized | API key is missing from the request. |
403 Forbidden | API key is invalid or does not have access to the requested tenant. |
// Example error response
{
"detail": "Invalid or missing API key"
}