Authentication
Contit supports multiple authentication methods depending on your use case.
Methods
| Method | Use case | Header |
|---|---|---|
| Client Credentials (OAuth2) | Server-to-server, write operations | Authorization: Bearer {token} |
| API Key | Read-only public access, simple integrations | X-Api-Key: {key} or ?api_key={key} |
| Authorization Code + PKCE | User-facing applications (browser login) | Authorization: Bearer {token} |
| Refresh Token | Long-lived sessions | Exchange at /connect/token |
Client Credentials (recommended for server-side)
1. Get an access token
curl -X POST https://idp.contit.cloud/connect/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET"
Response:
{
"access_token": "eyJhbGci...",
"token_type": "Bearer",
"expires_in": 3600
}
2. Use the token
curl https://api.contit.cloud/contents/myContentType \
-H "Authorization: Bearer eyJhbGci..."
Token lifetime: 1 hour. Use the refresh token grant to renew without re-authenticating.
API Key
API Keys are suitable for read-only public access (e.g., frontend apps, public APIs).
# Via header
curl https://api.contit.cloud/contents/myContentType \
-H "X-Api-Key: YOUR_API_KEY"
# Via query parameter
curl "https://api.contit.cloud/contents/myContentType?api_key=YOUR_API_KEY"
API Keys do not support write operations. For creating or updating content, use Client Credentials.
Custom claims
All access tokens issued by Contit contain custom claims:
| Claim | Description |
|---|---|
contit:workspaceId |
The workspace ID the client belongs to |
contit:permissions |
Comma-separated list: read, write, app.read, app.user |
contit:clientLogActive |
Whether request logging is enabled for this client |
contit:ctPermissions |
Per-content-type permissions (JSON, optional) |
Authorization policies
| Policy | Required permission | Used for |
|---|---|---|
ReadAccess |
read |
GET and POST (search) operations |
WriteAccess |
write |
PUT and DELETE operations |
App.ReadAccess |
app.read |
App settings endpoints |
App.UserAccess |
app.user |
Cross-workspace app operations |
Per-content-type permissions
Each client can be configured to restrict access to specific content types, with independent read and write permissions.
Behavior
- No configuration (default): the client has access to all content types, including those created in the future. Read and write are controlled by the global
Readonlyflag. - Permissions configured: the client can only access the listed content types, with read and write specified per content type. Content types created after the configuration are not accessible until explicitly added to the list.
Configuration
In the API Keys section of the workspace settings, select a client and enable "Restrict access by content type". For each content type you can enable:
| Permission | Description |
|---|---|
| Read | The client can search and retrieve contents of this type |
| Write | The client can create and update contents of this type |
| Delete | The client can delete contents of this type |
The three permissions are independent: for example, you can grant write access without delete.
Example
A client configured with:
articles: read + write + deletecategories: read onlyproducts: read + write (no delete)
Can fully manage articles, only view categories, and create/update products without being able to delete them. It will not have access to other content types (e.g., pages).