Skip navigation

Restrict public access to your content

4 min read
Download PDF

Protect your content and assets with secure access. You might want to use this with sensitive content, content hidden behind sign-in walls, or for projects that are not public facing.

Without secure access, your project's assets and published content items are publicly available by default.

Table of contents

    Enable secure access

    When you activate secure access for your project, the Delivery API starts requiring an API key with each API request for content. This applies to both Delivery REST API and Delivery GraphQL API. Also, Kontent.ai generates two API keys for Delivery API – Primary key and Secondary key.

    Quick facts about the Primary and Secondary keys

    • The keys are generated per project.
    • The keys don't have an expiration date.
    • Use the Primary key for continuous use in your apps.
    • Use the Secondary key when revoking the Primary key to prevent downtime.
    1. In Kontent.ai, go to  Project settings > API keys.
    2. In Delivery API > Secure access, click the switch to activate secure access.
    3. For one of the keys, click .

    Use the new API key to authenticate your API requests.

    Secure access keys in Kontent's settings

    Retrieve content items securely

    Tips for staying safe with secure access

    • Retrieve content on the server side and NOT client side to prevent leaking your API keys.
    • Store your API Keys outside your source code. For example, store them as environment variables. Make sure they're encrypted too.
    • Regenerate only one key at a time to prevent downtime.
    • Regenerate your API keys periodically. The older a key is, the higher the probability it could have been compromised.

    When getting content items, add an API key on top of your requests. The code below shows how to securely retrieve content of an article named My article.

    • Swift
    // Tip: Find more about Swift SDK at https://kontent.ai/learn/ios import KenticoKontentDelivery let client = DeliveryClient.init(projectId: "<YOUR_PROJECT_ID>", secureApiKey: "<YOUR_API_KEY>") // Create strongly typed models according to https://kontent.ai/learn/strongly-typed-models client.getItem(modelType: Article.self, itemName: "my_article") { (isSuccess, deliveryItem, error) in if isSuccess { if let article = deliveryItem.item { // Use your item here } } else { if let error = error { print(error) } }
    // Tip: Find more about Swift SDK at https://kontent.ai/learn/ios import KenticoKontentDelivery let client = DeliveryClient.init(projectId: "<YOUR_PROJECT_ID>", secureApiKey: "<YOUR_API_KEY>") // Create strongly typed models according to https://kontent.ai/learn/strongly-typed-models client.getItem(modelType: Article.self, itemName: "my_article") { (isSuccess, deliveryItem, error) in if isSuccess { if let article = deliveryItem.item { // Use your item here } } else { if let error = error { print(error) } }
    • Java
    // Tip: Find more about Java SDK at https://kontent.ai/learn/java import kentico.kontent.delivery.*; // Initializes a DeliveryClient with secure access key DeliveryClient client = new DeliveryClient( DeliveryOptions.builder() .projectId("<YOUR_PROJECT_ID>") .productionApiKey("<YOUR_API_KEY>") .build() ); // Gets the latest version of an item CompletionStage<ContentItemResponse> item = client.getItem("my_article");
    // Tip: Find more about Java SDK at https://kontent.ai/learn/java import kentico.kontent.delivery.*; // Initializes a DeliveryClient with secure access key DeliveryClient client = new DeliveryClient( DeliveryOptions.builder() .projectId("<YOUR_PROJECT_ID>") .productionApiKey("<YOUR_API_KEY>") .build() ); // Gets the latest version of an item CompletionStage<ContentItemResponse> item = client.getItem("my_article");
    • JavaScript
    // Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript const KontentDelivery = require('@kontent-ai/delivery-sdk'); const deliveryClient = KontentDelivery.createDeliveryClient({ projectId: '<YOUR_PROJECT_ID>', defaultQueryConfig: { useSecuredMode: true, // Queries the Delivery API using secure access. }, secureApiKey: '<YOUR_API_KEY>', }); const response = await deliveryClient.item('my_article') .toPromise();
    // Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript const KontentDelivery = require('@kontent-ai/delivery-sdk'); const deliveryClient = KontentDelivery.createDeliveryClient({ projectId: '<YOUR_PROJECT_ID>', defaultQueryConfig: { useSecuredMode: true, // Queries the Delivery API using secure access. }, secureApiKey: '<YOUR_API_KEY>', }); const response = await deliveryClient.item('my_article') .toPromise();
    • C#
    // Tip: Find more about .NET SDKs at https://kontent.ai/learn/net using Kontent.Ai.Delivery; // Creates an instance of the delivery client // ProTip: Use DI for this in your apps https://kontent.ai/learn/net-register-client IDeliveryClient client = DeliveryClientBuilder .WithOptions(builder => builder .WithProjectId("<YOUR_PROJECT_ID>") .UseProductionApi("<YOUR_API_KEY>") .Build()) .Build(); // Gets a specific content item // Create strongly typed models according to https://kontent.ai/learn/net-strong-types IDeliveryItemResponse<Article> response = await client.GetItemAsync<Article>("my_article"); Article item = response.Item;
    // Tip: Find more about .NET SDKs at https://kontent.ai/learn/net using Kontent.Ai.Delivery; // Creates an instance of the delivery client // ProTip: Use DI for this in your apps https://kontent.ai/learn/net-register-client IDeliveryClient client = DeliveryClientBuilder .WithOptions(builder => builder .WithProjectId("<YOUR_PROJECT_ID>") .UseProductionApi("<YOUR_API_KEY>") .Build()) .Build(); // Gets a specific content item // Create strongly typed models according to https://kontent.ai/learn/net-strong-types IDeliveryItemResponse<Article> response = await client.GetItemAsync<Article>("my_article"); Article item = response.Item;
    • PHP
    // Tip: Find more about PHP SDKs at https://kontent.ai/learn/php // Defined by Composer to include required libraries require __DIR__ . '/vendor/autoload.php'; use Kentico\Kontent\Delivery\DeliveryClient; $client = new DeliveryClient('<YOUR_PROJECT_ID>', null, '<YOUR_API_KEY>'); $item = $client->getItem('my_article');
    // Tip: Find more about PHP SDKs at https://kontent.ai/learn/php // Defined by Composer to include required libraries require __DIR__ . '/vendor/autoload.php'; use Kentico\Kontent\Delivery\DeliveryClient; $client = new DeliveryClient('<YOUR_PROJECT_ID>', null, '<YOUR_API_KEY>'); $item = $client->getItem('my_article');
    • cURL
    curl --request GET \ --url https://deliver.kontent.ai/<YOUR_PROJECT_ID>/items/my_article \ --header 'authorization: Bearer <YOUR_API_KEY>'
    curl --request GET \ --url https://deliver.kontent.ai/<YOUR_PROJECT_ID>/items/my_article \ --header 'authorization: Bearer <YOUR_API_KEY>'
    • Ruby
    # Tip: Find more about Ruby SDKs at https://kontent.ai/learn/ruby require 'delivery-sdk-ruby' delivery_client = Kentico::Kontent::Delivery::DeliveryClient.new project_id: '<YOUR_PROJECT_ID>', secure_key: '<YOUR_API_KEY>' delivery_client.item('my_article').execute do |response| item = response.item end
    # Tip: Find more about Ruby SDKs at https://kontent.ai/learn/ruby require 'delivery-sdk-ruby' delivery_client = Kentico::Kontent::Delivery::DeliveryClient.new project_id: '<YOUR_PROJECT_ID>', secure_key: '<YOUR_API_KEY>' delivery_client.item('my_article').execute do |response| item = response.item end
    • TypeScript
    // Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript import { IContentItem, createDeliveryClient, Elements } from '@kontent-ai/delivery-sdk'; // Create strongly typed models according to https://kontent.ai/learn/strongly-typed-models export type Article = IContentItem<{ title: Elements.TextElement; summary: Elements.TextElement; post_date: Elements.DateTimeElement; teaser_image: Elements.AssetsElement; related_articles: Elements.LinkedItemsElement<Article[]>; }>; const deliveryClient = createDeliveryClient({ projectId: '<YOUR_PROJECT_ID>', defaultQueryConfig: { useSecuredMode: true // Queries the Delivery API using secure access. }, secureApiKey: '<YOUR_API_KEY>', }); const response = await deliveryClient .item<Article>('my_article') .toPromise();
    // Tip: Find more about JS/TS SDKs at https://kontent.ai/learn/javascript import { IContentItem, createDeliveryClient, Elements } from '@kontent-ai/delivery-sdk'; // Create strongly typed models according to https://kontent.ai/learn/strongly-typed-models export type Article = IContentItem<{ title: Elements.TextElement; summary: Elements.TextElement; post_date: Elements.DateTimeElement; teaser_image: Elements.AssetsElement; related_articles: Elements.LinkedItemsElement<Article[]>; }>; const deliveryClient = createDeliveryClient({ projectId: '<YOUR_PROJECT_ID>', defaultQueryConfig: { useSecuredMode: true // Queries the Delivery API using secure access. }, secureApiKey: '<YOUR_API_KEY>', }); const response = await deliveryClient .item<Article>('my_article') .toPromise();

    After sending the request, you receive a single content item in the JSON format. You can filter your requests to retrieve only specific elements or items.

    Retrieve assets securely

    With advanced asset management, you can restrict access to all your project's assets by requiring an API key. This API key is different from the API keys in Project settings > API keys.

    To set up secure access for assets, contact our support and let them know the following:

    • Your project ID
    • Whether secure assets should be enabled for the Delivery Preview API, Delivery API, or both 

    Once you enable secure assets, you'll need to provide an API to fetch every asset. Fetch assets on the server side of your app to prevent exposing the API key.

    Revoke API keys

    When you suspect unauthorized key usage, you need to revoke one or both of the API keys and generate new ones. For example, when a user with access to the Primary key had left your company. In such cases, we recommend switching to Secondary key and regenerating the Primary key.

    Generating a new key will replace and revoke the old key. The revocation process can take up to a couple of minutes. Any requests made with a revoked API key receive the 401 Unauthorized error.

    1. In Kontent.ai, go to  Project settings > API keys.
    2. In the Delivery API card, regenerate the Secondary key.
    3. Update your apps to use the newly generated Secondary key.
    4. Validate that your apps work correctly with the new key.
    5. In the Delivery API card, regenerate the Primary key to ensure unauthorized users cannot use it to access your content.
    6. (Optional) Switch to using the regenerated Primary key in your apps so that your configuration is the same as you started.