Kentico CMS 7.0 Developer's Guide

Authenticating REST requests

Authenticating REST requests

Previous topic Next topic Mail us feedback on this topic!  

Authenticating REST requests

Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

Every REST request needs to be authenticated. You can select the Authentication type of the REST service in Site Manager -> Settings -> Integration -> REST.


Basic authentication


With Basic authentication, you need to specify the username and password through the Authorization line in the header of every REST request. The header line consists of:


   The authentication type (Basic)

   The username and password connected by a colon (username:password), encoded using the Base64 algorithm


For example:


Authorization: Basic UmVzdENsaWVudDpzZWNyZXQ=


Note: We strongly recommend using SSL to protect the authentication credentials in the request headers. See also: SSL (HTTPS) support


Forms authentication


When using forms authentication of requests, the system identifies users based on the active session and the authentication ticket stored in the .ASPXFORMSAUTH cookie. You can use forms authentication to create a web interface with a login page, and allow users to send REST requests through their browser.


Forms authentication can pose a security threat, because logged in users may unknowingly click links that send malicious REST requests to your site. To protect yourself from such attacks, take the following steps:


1. Immediately after creating the session (i.e. first authentication), you need to set up an authentication token by sending a POST request to the following URL:

http://<your project URL>/rest/settoken?username=<your user name>&password=<your password>&token=<your authentication token>


The authentication token can be an arbitrary string of characters, for example a GUID.


2. Include the authentication token in the HTTP header of every REST request:


Cms-Session-Token: <your authentication token>


Hash parameter authentication


You can authenticate individual REST requests by adding a hash parameter to the URL. The hash parameter allows you to prepare REST requests that can be executed by unauthenticated users. Requests that contain the hash parameter ignore the other types of authentication — the value of the Authentication type setting does not affect hash authentication.




Only works for GET requests (read only data retrieval)

You cannot use hash parameter authentication for /all object retrieval requests (~/rest/<objecttype>/all). This is an intentional security limitation that protects global data in the system.







Only use hash parameter authentication for loading data that you want to make publicly available. REST requests with hash authentication can be executed by anyone who obtains the URL (for example by intercepting the web request).



To get the authentication hash for REST requests:


1.Prepare the URL of your REST request in advance.

2.Go to Site Manager -> Settings -> Integration -> REST.

3.Click Generate authentication hash.

4.Enter the full absolute URL of the REST request, including the protocol, website domain name, virtual directory, REST path, and query string parameters. For example:

5.Click Authenticate.


The system adds the authentication hash parameter to the URL. You can copy the URL and use it to perform the REST request without any other type of authentication.