Restrict public access to your content

September 6, 2022

Jan Cerman

4 min read

Protect your content and assets with secure access. You might want to use this with sensitive content, content hidden behind sign-in walls, or for projects that are not public facing.

Without secure access, your project's assets and published content items are publicly available by default.

Enable secure access

When you activate secure access for your project, the Delivery API starts requiring an API key with each API request for content. This applies to both Delivery REST API and Delivery GraphQL API. Also, Kontent.ai generates two API keys for Delivery API – Primary key and Secondary key.

Quick facts about the Primary and Secondary keys

The scope of the API keys is per environment.
Their default expiration date is 1 year.
Use the Primary key for continuous use in your apps.
Use the Secondary key when revoking the Primary key to prevent downtime.

In Kontent.ai, go to Project settings > API keys.
In Delivery API > Secure access, click the switch to activate secure access.
For one of the keys, click .

Use the new API key to authenticate your API requests.

Secure access keys in Kontent's settings

Retrieve content items securely

Tips for staying safe with secure access

Retrieve content on the server side and NOT client side to prevent leaking your API keys.
Store your API Keys outside your source code. For example, store them as environment variables. Make sure they're encrypted too.
Regenerate only one key at a time to prevent downtime.
Regenerate your API keys periodically. The older a key is, the higher the probability it could have been compromised.

When getting content items, add an API key on top of your requests. The code below shows how to securely retrieve content of an article named My article.

Java
// Tip: Find more about Java SDK at https://kontent.ai/learn/java
import kontent.ai.delivery.*;

// Initializes a DeliveryClient with secure access key
DeliveryClient client = new DeliveryClient(
	DeliveryOptions.builder()
		.projectId("<YOUR_PROJECT_ID>")
		.productionApiKey("<YOUR_API_KEY>")
		.build()
);

// Gets the latest version of an item
CompletionStage<ContentItemResponse> item = client.getItem("my_article");
// Tip: Find more about Java SDK at https://kontent.ai/learn/java
import kontent.ai.delivery.*;

// Initializes a DeliveryClient with secure access key
DeliveryClient client = new DeliveryClient(
	DeliveryOptions.builder()
		.projectId("<YOUR_PROJECT_ID>")
		.productionApiKey("<YOUR_API_KEY>")
		.build()
);

// Gets the latest version of an item
CompletionStage<ContentItemResponse> item = client.getItem("my_article");

JavaScript
// Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript
const KontentDelivery = require('@kontent-ai/delivery-sdk');

const deliveryClient = KontentDelivery.createDeliveryClient({
  projectId: '<YOUR_PROJECT_ID>',
  defaultQueryConfig: {
    useSecuredMode: true, // Queries the Delivery API using secure access.
  },
  secureApiKey: '<YOUR_API_KEY>',
});

const response = await deliveryClient.item('my_article')
  .toPromise();
// Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript
const KontentDelivery = require('@kontent-ai/delivery-sdk');

const deliveryClient = KontentDelivery.createDeliveryClient({
  projectId: '<YOUR_PROJECT_ID>',
  defaultQueryConfig: {
    useSecuredMode: true, // Queries the Delivery API using secure access.
  },
  secureApiKey: '<YOUR_API_KEY>',
});

const response = await deliveryClient.item('my_article')
  .toPromise();

C#
// Tip: Find more about .NET SDKs at https://kontent.ai/learn/net
using Kontent.Ai.Delivery;

// Creates an instance of the delivery client
// ProTip: Use DI for this in your apps https://kontent.ai/learn/net-register-client
IDeliveryClient client = DeliveryClientBuilder
    .WithOptions(builder => builder
        .WithProjectId("<YOUR_PROJECT_ID>")
        .UseProductionApi("<YOUR_API_KEY>")
        .Build())
    .Build();

// Gets a specific content item
// Create strongly typed models according to https://kontent.ai/learn/net-strong-types
IDeliveryItemResponse<Article> response = await client.GetItemAsync<Article>("my_article");

Article item = response.Item;
// Tip: Find more about .NET SDKs at https://kontent.ai/learn/net
using Kontent.Ai.Delivery;

// Creates an instance of the delivery client
// ProTip: Use DI for this in your apps https://kontent.ai/learn/net-register-client
IDeliveryClient client = DeliveryClientBuilder
    .WithOptions(builder => builder
        .WithProjectId("<YOUR_PROJECT_ID>")
        .UseProductionApi("<YOUR_API_KEY>")
        .Build())
    .Build();

// Gets a specific content item
// Create strongly typed models according to https://kontent.ai/learn/net-strong-types
IDeliveryItemResponse<Article> response = await client.GetItemAsync<Article>("my_article");

Article item = response.Item;

PHP
// Tip: Find more about PHP SDKs at https://kontent.ai/learn/php
// Defined by Composer to include required libraries
require __DIR__ . '/vendor/autoload.php';

use Kontent\Ai\Delivery\DeliveryClient;

$client = new DeliveryClient('<YOUR_PROJECT_ID>', null, '<YOUR_API_KEY>');

$item = $client->getItem('my_article');
// Tip: Find more about PHP SDKs at https://kontent.ai/learn/php
// Defined by Composer to include required libraries
require __DIR__ . '/vendor/autoload.php';

use Kontent\Ai\Delivery\DeliveryClient;

$client = new DeliveryClient('<YOUR_PROJECT_ID>', null, '<YOUR_API_KEY>');

$item = $client->getItem('my_article');

cURL
curl --request GET \
  --url https://deliver.kontent.ai/<YOUR_PROJECT_ID>/items/my_article \
  --header 'authorization: Bearer <YOUR_API_KEY>'
curl --request GET \
  --url https://deliver.kontent.ai/<YOUR_PROJECT_ID>/items/my_article \
  --header 'authorization: Bearer <YOUR_API_KEY>'

Ruby
# Tip: Find more about Ruby SDKs at https://kontent.ai/learn/ruby
require 'delivery-sdk-ruby'

delivery_client = Kontent::Ai::Delivery::DeliveryClient.new project_id: '<YOUR_PROJECT_ID>',
                    secure_key: '<YOUR_API_KEY>'
delivery_client.item('my_article').execute do |response|
  item = response.item
end
# Tip: Find more about Ruby SDKs at https://kontent.ai/learn/ruby
require 'delivery-sdk-ruby'

delivery_client = Kontent::Ai::Delivery::DeliveryClient.new project_id: '<YOUR_PROJECT_ID>',
                    secure_key: '<YOUR_API_KEY>'
delivery_client.item('my_article').execute do |response|
  item = response.item
end

TypeScript
// Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript
import { IContentItem, createDeliveryClient, Elements } from '@kontent-ai/delivery-sdk';

// Create strongly typed models according to https://kontent.ai/learn/strongly-typed-models
export type Article = IContentItem<{
	 title: Elements.TextElement;
	 summary: Elements.TextElement;
	 post_date: Elements.DateTimeElement;
	 teaser_image: Elements.AssetsElement;
	 related_articles: Elements.LinkedItemsElement<Article[]>;
}>;

const deliveryClient = createDeliveryClient({
	projectId: '<YOUR_PROJECT_ID>',
	defaultQueryConfig: {
		useSecuredMode: true // Queries the Delivery API using secure access.
	},
	secureApiKey: '<YOUR_API_KEY>',
});

const response = await deliveryClient
	.item<Article>('my_article')
	.toPromise();
// Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript
import { IContentItem, createDeliveryClient, Elements } from '@kontent-ai/delivery-sdk';

// Create strongly typed models according to https://kontent.ai/learn/strongly-typed-models
export type Article = IContentItem<{
	 title: Elements.TextElement;
	 summary: Elements.TextElement;
	 post_date: Elements.DateTimeElement;
	 teaser_image: Elements.AssetsElement;
	 related_articles: Elements.LinkedItemsElement<Article[]>;
}>;

const deliveryClient = createDeliveryClient({
	projectId: '<YOUR_PROJECT_ID>',
	defaultQueryConfig: {
		useSecuredMode: true // Queries the Delivery API using secure access.
	},
	secureApiKey: '<YOUR_API_KEY>',
});

const response = await deliveryClient
	.item<Article>('my_article')
	.toPromise();

After sending the request, you receive a single content item in the JSON format. You can filter your requests to retrieve only specific elements or items.

Retrieve assets securely

With advanced asset management, you can restrict access to all your project's assets by requiring an API key. This API key is different from the API keys in Project settings > API keys.

To set up secure access for assets, contact our support and let them know the following:

Your project ID
Whether secure assets should be enabled for the Delivery Preview API, Delivery API, or both

Once you enable secure assets, you'll need to provide an API to fetch every asset. Fetch assets on the server side of your app to prevent exposing the API key.

Revoke API keys

When you suspect unauthorized key usage, you need to revoke one or both of the API keys and generate new ones. For example, when a user with access to the Primary key had left your company. In such cases, we recommend switching to Secondary key and regenerating the Primary key.

Generating a new key will replace and revoke the old key. The revocation process can take up to a couple of minutes. Any requests made with a revoked API key receive the 401 Unauthorized error.

In Kontent.ai, go to Project settings > API keys.
In the Delivery API card, regenerate the Secondary key.
Update your apps to use the newly generated Secondary key.
Validate that your apps work correctly with the new key.
In the Delivery API card, regenerate the Primary key to ensure unauthorized users cannot use it to access your content.
(Optional) Switch to using the regenerated Primary key in your apps so that your configuration is the same as you started.

Is this page helpful?

Yes No