Secure access

Is this page helpful?
  • javascript icon
    JavaScript
  • typescript icon
    TypeScript
  • dot-net icon
    .NET
  • java icon
    Java
  • php icon
    PHP
  • ruby icon
    Ruby
  • curl icon
    REST
calendar icon
user iconJan Cerman
clock icon6 minutes
bullseye iconDelivery API
arrow-down-line iconDownload PDF
Protect your content and assets with secure access. You might want to enable secure access with sensitive content, content hidden behind sign-in walls, or for projects that are not public facing.Without secure access, your assets and published content items are publicly available by default.

Enable secure access

When you activate secure access, Delivery API requires an API key with each API request for content. This applies to both Delivery REST API and Delivery GraphQL API.
  1. In Kontent.ai, go to cogwheel icon Environment settings > General.
  2. In Enabled APIs, use the toggle to activate Secure access for Delivery API.
  3. In cogwheels icon Project settings > API keys, create a Delivery API key with permission for secure access.
Use the new API key to authenticate your API requests.

Retrieve content items securely

When getting content items, specify the API key when making requests. The code below shows how to securely retrieve the content of an article named My article.
After sending the request, you receive a single content item in the JSON format. You can filter your requests to retrieve only specific elements or items.

Retrieve assets securely

Do you manage confidential assets or need to run an intranet website? In that case, you might want to keep your assets away from the public. You can restrict access to your assets by requiring an API key. This API key differs from the API keys in cogwheels icon Project settings > API keys. To set up secure access for assets, contact our support and let them know the following:
  • Your environment ID
  • Whether to enable secure assets for the Delivery Preview API, Delivery API, or both
Once you enable secure assets, you need to provide an API key for every asset request. Fetch assets on the server side of your app to prevent exposing the API key.

Revoke API keys

When you suspect unauthorized key usage, you need to switch to a new API key and revoke the old one. For example, when a user leaves your company. We recommend switching to a newly created API key and revoking the old API key. The revocation process can take up to a couple of minutes. Any requests made with a revoked API key receive the 401 Unauthorized errorarrow-right-top-square icon.
  • Docs
  • AI accelerators
  • Collections
  • Custom elements
  • Environments
  • Keyboard shortcuts
  • Mission Control
  • Projects
  • Spaces
  • Task management
  • Terminology
An image showing two enabled APIs, where one of them is the Delivery API's secure access activated for an environment.
  • desktop-alt icon
  • Cheat sheets
  • Documentation
  • API reference
  • Product updates
Kontent.ai Learn
  • Plan
  • Set up
  • Model
  • Develop
  • Create
  • Audit log
  • Data encryption
  • Multifactor authentication
  • Personal data in Kontent.ai
  • Secure access
  • Security controls
  • Single sign-on
Copyright © 2024 Kontent.aiarrow-right-top-square icon. All rights reserved.
  • Webarrow-right-top-square icon
  • Privacy policyarrow-right-top-square icon
  • Cookies policy
  • Consent settingsarrow-right-top-square icon
  • Securityarrow-right-top-square icon
  • GDPRarrow-right-top-square icon
light-bulb icon
  • PHP
This feature isn’t available for some legacy plan subscriptions. Contact us to find out your options.
  • Sign in
    • <?php
// Tip: Find more about PHP SDKs at https://kontent.ai/learn/php
// Defined by Composer to include required libraries
require __DIR__ . '/vendor/autoload.php';

use Kontent\Ai\Delivery\DeliveryClient;

$client = new DeliveryClient('<YOUR_ENVIRONMENT_ID>', null, '<YOUR_API_KEY>');

$item = $client->getItem('my_article');
?>
    Tips for staying safe with secure access
    • Retrieve content on the server side and NOT on the client side to prevent leaking your API keys.
    • Store your API Keys outside your source code. For example, store them as environment variables. Make sure they’re encrypted too.
    • Rotate your API keys periodically. The older an API key is, the higher the probability it could have been compromised.
    • Before you regenerate or revoke an API key, ensure your apps use a new API key to prevent downtime.
  • Enable secure access
  • Retrieve content items securely
  • Retrieve assets securely
  • Revoke API keys