How to restrict access Umbraco Content Delivery API

19/05/2023 umbraco

In this post I will discuss how to restrict your Umbraco Content Delivery API with an API key.

As per my previous post, Umbraco 12 will support content delivery APIs out of the box with Umbraco. Follow the instructions in that post on how to get set up and test your APIs.

At this point our APIs can be called by anyone which may be fine for your scenario. But if you need this to be restricted you can set it to only be allowed via a valid API key. This can be done by setting the PublicAccess and ApiKey fields in the appsettings.json. I have just generated a random GUID for my key:

"DeliveryApi": {
   "Enabled": true,
   "PublicAccess": false,
   "ApiKey": "6536e4ec-cba3-4411-a21e-d933eb7dcc26"

Now, lets go to Postman and test our API...

It's unauthorised, but all good, that's expected as now we have set PublicAccess to false:

In our Postman call, we must now set the Api-Key header. If we populate this and re- send, we will get our content:

Now our Content API is restricted by API Key so only those with this can call it.

One restriction seems to be you can only have on API key per solution, hopefully a future change that Umbraco may allow is more than one, or even API Key management in the backoffice 🤞

You can read more about Umbraco 12 here: 

Related Posts