EN IT

Authentication

Contit supports multiple authentication methods depending on your use case.

Methods

Method Use case Header
Client Credentials (OAuth2) Server-to-server, write operations Authorization: Bearer {token}
API Key Read-only public access, simple integrations X-Api-Key: {key} or ?api_key={key}
Authorization Code + PKCE User-facing applications (browser login) Authorization: Bearer {token}
Refresh Token Long-lived sessions Exchange at /connect/token

1. Get an access token

curl -X POST https://idp.contit.cloud/connect/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET"

Response:

{
  "access_token": "eyJhbGci...",
  "token_type": "Bearer",
  "expires_in": 3600
}

2. Use the token

curl https://api.contit.cloud/contents/myContentType \
  -H "Authorization: Bearer eyJhbGci..."

Token lifetime: 1 hour. Use the refresh token grant to renew without re-authenticating.

API Key

API Keys are suitable for read-only public access (e.g., frontend apps, public APIs).

# Via header
curl https://api.contit.cloud/contents/myContentType \
  -H "X-Api-Key: YOUR_API_KEY"

# Via query parameter
curl "https://api.contit.cloud/contents/myContentType?api_key=YOUR_API_KEY"

API Keys do not support write operations. For creating or updating content, use Client Credentials.

Custom claims

All access tokens issued by Contit contain custom claims:

Claim Description
contit:workspaceId The workspace ID the client belongs to
contit:permissions Comma-separated list: read, write, app.read, app.user
contit:clientLogActive Whether request logging is enabled for this client

Authorization policies

Policy Required permission Used for
ReadAccess read GET and POST (search) operations
WriteAccess write PUT and DELETE operations
App.ReadAccess app.read App settings endpoints
App.UserAccess app.user Cross-workspace app operations