Authentication
Users/admins authentication
Some actions of Gobierto API are protected and only are available to authenticated users or admins. Each user or admin of Gobierto has at least one primary API key, which can be used to authenticate them.
If an action requires authentication or is only allowed to an specific user or admin and is called without token or a wrong token the response of the API is a JSON with 401 Unauthorized
status and content:
{
"message": "Unauthorized"
}
The token must be included in the headers of the request with the key Authorization
and the prefix Bearer. For example, if the token is XXXXXXXXXX
, the request using CURL should be:
curl --location --request HTTP_VERB 'api/path/to/resource' \
--header 'Authorization: Bearer XXXXXXXXXX' \
···
Password protected sites authentication
The site can be configured to be protected with basic access authentication. In this case all the requests to the API must include a valid authorization header. Otherwise the response of the API will have a 401 Unauthorized
status and
HTTP Basic: Access denied.
body
Valid tokens can be:
- The tokens used in the previous section: The user must be active in the site or the admin must have permissions on the site.
- A basic authorization token which can be built with the user/password pair defined in the admin form of the site. The token can be passed in the headers of the request with the key
Authorization
, the prefix Basic and the Base64 encoding of user and password joined by a single colon:
as credentials.
For example, if the user/password pair is username
/password
, the request using CURL should be:
curl --location --request HTTP_VERB 'api/path/to/resource' \
--header 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=' \
···
Admins preview_token
Admins have a preview_token
which can be used to access to resources in draft status. By default, if a resource has a visibility_level
attribute and is set to draft
the API hides it and its subresources
The preview_token must be included in the query of the request with the key preview_token
. For example, if the token is XXXXXXXXXX
, the request using CURL should be:
curl --location --request HTTP_VERB 'api/path/to/resource/preview_token=XXXXXXXXXX' \
···
Updated over 1 year ago