Access Control

All requests to the Umbraco Compose APIs must be authenticated and authorized.

Compose supports two different methods of access control. They are summarized in the table below.

Personal Access Tokens

Personal Access Token are also known as API keys. They are used to authenticate to the Ingestion and GraphQL APIs of Umbraco Compose.

Personal Access Tokens can be managed from the Umbraco Cloud Portal. Personal access tokens are valid for one Compose project, selected at time of creation.

Scopes

Personal Access Tokens can be assigned different scopes that affect which APIs and endpoints they are authorized to call. The following scopes are available:

Assigning a scope grants the respective access over all environments in the project.

Client Credentials

Applications can authorize to Umbraco Compose using an OAuth-compliant client credentials flow.

Creating an API Application

To support the client credentials flow, you must first create an API application from the Umbraco Cloud Portal.

During creation of an API application you will be given two values which can later be exchanged for an access token. These values are a client_id and a client_secret.

• The client_id is a unique identifier for your API application.

• The client_secret is a shared secret that you should store securely. It allows access to applications that integrate with Compose.

Scopes

API applications support the same project-level scopes as Personal Access Tokens. On top of that, they also optionally allow finer-grained access over individual environments or entities.

Supported environment scopes are:

Including a project scope will grant authorization for that action across all environments, irrespective of environment-specific scopes. For example, consider the following two scopes granted on a single project:

• The graphql scope has been granted at project level, and

• The graphql scope has been granted for the dev environment, but not for live.

The application will still be able to make GraphQL queries on the live environment. It is recommended to use the least-privilege scopes that your applications strictly need.

Getting an Access Token

Once you have an application and client credentials, you can generate an access token using the /v1/auth/token endpoint. Since access tokens are short-lived, this process should typically be automated.

Unlike other endpoints in the Management API, the auth/token endpoint expects an application/x-www-form-urlencoded payload. It should look like the following, where {client_id} and {client_secret} are replaced with the values from your application.

Developer tooling

Since tokens exchanged for client credentials are short lived, working with them manually is generally not recommended.

Many developer tools for calling APIs support automatically refreshing access tokens. Instead of configuring and manually including the token, consider using your tool's inbuilt OAuth support.

Two tools that support automatically refreshing tokens are Bruno and Postman.

Usage

When making a call to Compose APIs, include your (personal or client credential) access token as a bearer token in the Authorization header. For example: