Hil all, I’m exposing the Content REST API via a preview (hst:type = preview) so I can also access unpublished content from an external service. And logically I want to secure this API as it’s not supposed to available to the public.
Is there a way to protect the Content REST API with an api key (that consumers have to specify in a x-api-key request header)?
Update:
By Content REST API i meant the generic REST API that comes out of the box. The preview endpoints for this API I want to secure with an api key are, for example:
I’ve updated my question and added that it’s regarding the generic Content REST API that comes out of the box. (Instead of a custom jax-rs service)
From the documentation (see link below) I understood that it’s possible to enable basic authentication. However I was wondering if there’s a way to add an api key check to specific endpoints.
Regarding basic authentication, according to the documention it’s possible to enable basic authentication (see link below). However, the documentation also says that by default form-based authentication is configured on the delivery tier. My questions in this regard are:
When I enable basic authentication does it mean that all secured delivery tier services will get basic authentication (like the site preview)?
Can’t each service be configured to use a different AuthenticationProvider?
Is it possible to have a user that can access the API endpoints (through basic authentication), but has no or minimum permissions in the CMS?