Guides

Authentication

Suggest Edits

 Users/admins authentication

Some actions of Gobierto API are protected and only are available to authenticated users or admins. Each user or admin of Gobierto has at least one primary API key, which can be used to authenticate them.

If an action requires authentication or is only allowed to an specific user or admin and is called without token or a wrong token the response of the API is a JSON with 401 Unauthorized status and content:

{
    "message": "Unauthorized"
}

The token must be included in the headers of the request with the key Authorization and the prefix Bearer. For example, if the token is XXXXXXXXXX, the request using CURL should be:

curl --location --request HTTP_VERB 'api/path/to/resource' \
--header 'Authorization: Bearer XXXXXXXXXX' \
···

Password protected sites authentication

The site can be configured to be protected with basic access authentication. In this case all the requests to the API must include a valid authorization header. Otherwise the response of the API will have a 401 Unauthorized status and
HTTP Basic: Access denied. body

Valid tokens can be:

  • The tokens used in the previous section: The user must be active in the site or the admin must have permissions on the site.
  • A basic authorization token which can be built with the user/password pair defined in the admin form of the site. The token can be passed in the headers of the request with the key Authorization, the prefix Basic and the Base64 encoding of user and password joined by a single colon : as credentials.

For example, if the user/password pair is username/password, the request using CURL should be: 

curl --location --request HTTP_VERB 'api/path/to/resource' \
--header 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=' \
···

Admins preview_token

Admins have a preview_token which can be used to access to resources in draft status. By default, if a resource has a visibility_level attribute and is set to draft the API hides it and its subresources

The preview_token must be included in the query of the request with the key preview_token. For example, if the token is XXXXXXXXXX, the request using CURL should be:

curl --location --request HTTP_VERB 'api/path/to/resource/preview_token=XXXXXXXXXX' \
···

Updated about 1 year ago