Skip to main content
On this page
Updated 1 min read

Authentication

Authentication

API Key Authentication

All Public API endpoints require an API key passed via the x-api-key HTTP header. This key identifies your tenant and authorizes read access to your published content.

x-api-key: YOUR_API_KEY

Obtaining an API Key

API keys are managed from the Adapto CMS dashboard. Navigate to your tenant settings and generate a new public API key. Each key is scoped to a single tenant.

Usage Example

cURL

curl -X GET "https://public-api.adaptocms.com/v1/articles" \
  -H "x-api-key: YOUR_API_KEY"

JavaScript (fetch)

const response = await fetch('https://public-api.adaptocms.com/v1/articles', {
  headers: {
    'x-api-key': 'YOUR_API_KEY'
  }
});
const data = await response.json();

Python (requests)

import requests

response = requests.get(
    'https://public-api.adaptocms.com/v1/articles',
    headers={'x-api-key': 'YOUR_API_KEY'}
)
data = response.json()

Security Best Practices

  • Environment variables — Store your API key in environment variables, not in source code.
  • Server-side calls — For sensitive applications, proxy API calls through your backend to avoid exposing the key in client-side JavaScript.
  • Key rotation — Rotate your API keys periodically from the dashboard.
  • Read-only access — Public API keys only grant read access to published content. They cannot modify, create, or delete any data.

Authentication Errors

If the API key is missing or invalid, the API returns:

Status CodeDescription
401 UnauthorizedAPI key is missing from the request.
403 ForbiddenAPI key is invalid or does not have access to the requested tenant.
// Example error response
{
  "detail": "Invalid or missing API key"
}