Kirby's REST API is based on user permissions. This helps increase security by blocking operations for unauthorized users. You can read more about specific user permissions in the Users permissions docs ›
The Panel uses session-based authentication, which is not really typical for REST APIs, but works best in combination with frontend authentication and is also the most secure way when you don't have control over the backend environment and you cannot work with trusted private keys.
We use sessions purely for authentication to keep communication with the API stateless.
Session-based authentication requires CSRF token validation. The CSRF token has to be sent in the
X-CSRF header for every request. A token can be generated with the
csrf() helper in the backend.
Sessions also require a correct session cookie for every request. Therefore, session-based authentication works best when you make API calls from the frontend of the same site/domain.
csrf() helper (e.g. in a template).
To enable truly stateless, remote authentication, our API offers HTTP Basic auth as an alternative to sessions. This is particularly useful if you want to make requests from the backend of a different site or in a command line tool.
Basic auth has to be activated in the config:
When Basic auth is activated, you must send an
Authorization header with every request.
Basic auth is only available over HTTPS to avoid that the credentials are sent over the wire unencrypted with every request. This restriction can be disabled via the
Here's a simple example of a remote request in PHP with our