Restrict public access to your content

March 28, 2023

Jan Cerman

4 min read

Protect your content and assets with secure access. You might want to enable secure access with sensitive content, content hidden behind sign-in walls, or for projects that are not public facing.

Without secure access, your assets and published content items are publicly available by default.

Enable secure access

When you activate secure access, Delivery API requires an API key with each API request for content. This applies to both Delivery REST API and Delivery GraphQL API. Kontent.ai generates two API keys for Delivery API – Primary and Secondary keys.

Quick facts about the Primary and Secondary keys

The scope of the API keys is per environment.
Their default expiration date is 1 year.
Use the Primary key for continuous use in your apps.
Use the Secondary key when revoking the Primary key to prevent downtime.

In Kontent.ai, go to Environment settings > API keys.
In Delivery API > Secure access, click the switch to activate secure access.
For one of the keys, click .

Use the new API key to authenticate your API requests.

Secure access keys in Kontent's settings

Retrieve content items securely

Tips for staying safe with secure access

Retrieve content on the server side and NOT client side to prevent leaking your API keys.
Store your API Keys outside your source code. For example, store them as environment variables. Make sure they're encrypted too.
Regenerate only one key at a time to prevent downtime.
Regenerate your API keys periodically. The older a key is, the higher the probability it could have been compromised.

When getting content items, add an API key on top of your requests. The code below shows how to securely retrieve the content of an article named My article.

Java
// Tip: Find more about Java SDK at https://kontent.ai/learn/java
import kontent.ai.delivery.*;

// Initializes a DeliveryClient with secure access key
DeliveryClient client = new DeliveryClient(
	DeliveryOptions.builder()
		.projectId("<YOUR_PROJECT_ID>")
		.productionApiKey("<YOUR_API_KEY>")
		.build()
);

// Gets the latest version of an item
CompletionStage<ContentItemResponse> item = client.getItem("my_article");
// Tip: Find more about Java SDK at https://kontent.ai/learn/java
import kontent.ai.delivery.*;

// Initializes a DeliveryClient with secure access key
DeliveryClient client = new DeliveryClient(
	DeliveryOptions.builder()
		.projectId("<YOUR_PROJECT_ID>")
		.productionApiKey("<YOUR_API_KEY>")
		.build()
);

// Gets the latest version of an item
CompletionStage<ContentItemResponse> item = client.getItem("my_article");

JavaScript
// Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript
const KontentDelivery = require('@kontent-ai/delivery-sdk');

const deliveryClient = KontentDelivery.createDeliveryClient({
  environmentId: '<YOUR_ENVIRONMENT_ID>',
  defaultQueryConfig: {
    useSecuredMode: true, // Queries the Delivery API using secure access.
  },
  secureApiKey: '<YOUR_API_KEY>',
});

const response = await deliveryClient.item('my_article')
  .toPromise();
// Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript
const KontentDelivery = require('@kontent-ai/delivery-sdk');

const deliveryClient = KontentDelivery.createDeliveryClient({
  environmentId: '<YOUR_ENVIRONMENT_ID>',
  defaultQueryConfig: {
    useSecuredMode: true, // Queries the Delivery API using secure access.
  },
  secureApiKey: '<YOUR_API_KEY>',
});

const response = await deliveryClient.item('my_article')
  .toPromise();

C#
// Tip: Find more about .NET SDKs at https://kontent.ai/learn/net
using Kontent.Ai.Delivery;

// Creates an instance of the delivery client
// ProTip: Use DI for this in your apps https://kontent.ai/learn/net-register-client
IDeliveryClient client = DeliveryClientBuilder
    .WithOptions(builder => builder
        .WithProjectId("<YOUR_PROJECT_ID>")
        .UseProductionApi("<YOUR_API_KEY>")
        .Build())
    .Build();

// Gets a specific content item
// Create strongly typed models according to https://kontent.ai/learn/net-strong-types
IDeliveryItemResponse<Article> response = await client.GetItemAsync<Article>("my_article");

Article item = response.Item;
// Tip: Find more about .NET SDKs at https://kontent.ai/learn/net
using Kontent.Ai.Delivery;

// Creates an instance of the delivery client
// ProTip: Use DI for this in your apps https://kontent.ai/learn/net-register-client
IDeliveryClient client = DeliveryClientBuilder
    .WithOptions(builder => builder
        .WithProjectId("<YOUR_PROJECT_ID>")
        .UseProductionApi("<YOUR_API_KEY>")
        .Build())
    .Build();

// Gets a specific content item
// Create strongly typed models according to https://kontent.ai/learn/net-strong-types
IDeliveryItemResponse<Article> response = await client.GetItemAsync<Article>("my_article");

Article item = response.Item;

PHP
// Tip: Find more about PHP SDKs at https://kontent.ai/learn/php
// Defined by Composer to include required libraries
require __DIR__ . '/vendor/autoload.php';

use Kontent\Ai\Delivery\DeliveryClient;

$client = new DeliveryClient('<YOUR_PROJECT_ID>', null, '<YOUR_API_KEY>');

$item = $client->getItem('my_article');
// Tip: Find more about PHP SDKs at https://kontent.ai/learn/php
// Defined by Composer to include required libraries
require __DIR__ . '/vendor/autoload.php';

use Kontent\Ai\Delivery\DeliveryClient;

$client = new DeliveryClient('<YOUR_PROJECT_ID>', null, '<YOUR_API_KEY>');

$item = $client->getItem('my_article');

cURL
curl --request GET \
  --url https://deliver.kontent.ai/<YOUR_ENVIRONMENT_ID>/items/my_article \
  --header 'authorization: Bearer <YOUR_API_KEY>'
curl --request GET \
  --url https://deliver.kontent.ai/<YOUR_ENVIRONMENT_ID>/items/my_article \
  --header 'authorization: Bearer <YOUR_API_KEY>'

Ruby
# Tip: Find more about Ruby SDKs at https://kontent.ai/learn/ruby
require 'delivery-sdk-ruby'

delivery_client = Kontent::Ai::Delivery::DeliveryClient.new project_id: '<YOUR_PROJECT_ID>',
                    secure_key: '<YOUR_API_KEY>'
delivery_client.item('my_article').execute do |response|
  item = response.item
end
# Tip: Find more about Ruby SDKs at https://kontent.ai/learn/ruby
require 'delivery-sdk-ruby'

delivery_client = Kontent::Ai::Delivery::DeliveryClient.new project_id: '<YOUR_PROJECT_ID>',
                    secure_key: '<YOUR_API_KEY>'
delivery_client.item('my_article').execute do |response|
  item = response.item
end

TypeScript
// Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript
import { IContentItem, createDeliveryClient, Elements } from '@kontent-ai/delivery-sdk';

// Create strongly typed models according to https://kontent.ai/learn/strongly-typed-models
export type Article = IContentItem<{
	 title: Elements.TextElement;
	 summary: Elements.TextElement;
	 post_date: Elements.DateTimeElement;
	 teaser_image: Elements.AssetsElement;
	 related_articles: Elements.LinkedItemsElement<Article[]>;
}>;

const deliveryClient = createDeliveryClient({
	environmentId: '<YOUR_ENVIRONMENT_ID>',
	defaultQueryConfig: {
		useSecuredMode: true // Queries the Delivery API using secure access.
	},
	secureApiKey: '<YOUR_API_KEY>',
});

const response = await deliveryClient
	.item<Article>('my_article')
	.toPromise();
// Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript
import { IContentItem, createDeliveryClient, Elements } from '@kontent-ai/delivery-sdk';

// Create strongly typed models according to https://kontent.ai/learn/strongly-typed-models
export type Article = IContentItem<{
	 title: Elements.TextElement;
	 summary: Elements.TextElement;
	 post_date: Elements.DateTimeElement;
	 teaser_image: Elements.AssetsElement;
	 related_articles: Elements.LinkedItemsElement<Article[]>;
}>;

const deliveryClient = createDeliveryClient({
	environmentId: '<YOUR_ENVIRONMENT_ID>',
	defaultQueryConfig: {
		useSecuredMode: true // Queries the Delivery API using secure access.
	},
	secureApiKey: '<YOUR_API_KEY>',
});

const response = await deliveryClient
	.item<Article>('my_article')
	.toPromise();

After sending the request, you receive a single content item in the JSON format. You can filter your requests to retrieve only specific elements or items.

Retrieve assets securely

With advanced asset management, you can restrict access to your assets by requiring an API key. This API key differs from the API keys in Environment settings > API keys.

To set up secure access for assets, contact our support and let them know the following:

Your environment ID
Whether secure assets should be enabled for the Delivery Preview API, Delivery API, or both

Once you enable secure assets, you need to provide an API key for every asset request. Fetch assets on the server side of your app to prevent exposing the API key.

Revoke API keys

When you suspect unauthorized key usage, you need to revoke one or both of the API keys and generate new ones. For example, when a user with access to the Primary key had left your company. In such cases, we recommend that you switch to the Secondary key and regenerate the Primary key.

Generating a new key will replace and revoke the old key. The revocation process can take up to a couple of minutes. Any requests made with a revoked API key receive the 401 Unauthorized error.

In Kontent.ai, go to Environment settings > API keys.
In the Delivery API card, regenerate the Secondary key.
Update your apps to use the newly generated Secondary key.
Validate that your apps work correctly with the new key.
In the Delivery API card, regenerate the Primary key to ensure unauthorized users cannot use it to access your content.
(Optional) Switch to using the regenerated Primary key in your apps so that your configuration is the same as you started.

Is this page helpful?

Yes No