Module Description
Provides simple key-based authentication on a per-user basis similar to basic_auth but without requiring usernames or passwords. This is ideal for sites that expose consumer-facing APIs via rest, jsonapi, or something similar.
Keys are stored in the user entity so there are no additional tables or entities.
Available configuration
* Optionally automatically generate a key for users when accounts are created
* Key length (defaults to 32 characters)
* Control the parameter name that contains the key (defaults to api-key)
* Detect the key via a header, query, or both
Setup and usage
* Remove View published content permission from role, you are using this module for.
* Install the module.
* Grant users the Use key authentication permission.
* Configure the basic settings at admin/config/services/key-auth.
* Users with adequate permissions can view/update/delete their key at user/{user}/key-auth.
* To use with core rest, enable the key_auth authentication provider for your endpoints of choice.
* To use with jsonapi, no additional configuration is required.
* If Header detection is enabled, pass in a header with the name chosen in the configuration, and a value of your user's key (ie, api-key: b9a9a0ee50ceab7191282b51c).
* If Query detection is enabled, include a query parameter in the endpoint URL with the name chosen in the configuration, and a value of your user's key (ie, ?api-key=b9a9a0ee50ceab7191282b51c).
Please Note: To deny the anonymous user role access to a REST endpoint, one need to change permissions and deny the anonymous user the permission "View published content". Then one can enable this module and use Key authentication (as an alternative to Basic authentication) to get access to the endpoint.
Keys are stored in the user entity so there are no additional tables or entities.
Available configuration
* Optionally automatically generate a key for users when accounts are created
* Key length (defaults to 32 characters)
* Control the parameter name that contains the key (defaults to api-key)
* Detect the key via a header, query, or both
Setup and usage
* Remove View published content permission from role, you are using this module for.
* Install the module.
* Grant users the Use key authentication permission.
* Configure the basic settings at admin/config/services/key-auth.
* Users with adequate permissions can view/update/delete their key at user/{user}/key-auth.
* To use with core rest, enable the key_auth authentication provider for your endpoints of choice.
* To use with jsonapi, no additional configuration is required.
* If Header detection is enabled, pass in a header with the name chosen in the configuration, and a value of your user's key (ie, api-key: b9a9a0ee50ceab7191282b51c).
* If Query detection is enabled, include a query parameter in the endpoint URL with the name chosen in the configuration, and a value of your user's key (ie, ?api-key=b9a9a0ee50ceab7191282b51c).
Please Note: To deny the anonymous user role access to a REST endpoint, one need to change permissions and deny the anonymous user the permission "View published content". Then one can enable this module and use Key authentication (as an alternative to Basic authentication) to get access to the endpoint.
Module Link
Project Usage
2216
Security Covered
Covered By Security Advisory
Version Available
Production
Module Summary
This module aims to solve the issue of providing simple key-based authentication on a per-user basis without requiring usernames or passwords for sites that expose consumer-facing APIs via rest, jsonapi, or similar methods.
Data Name
key_auth