In theory, the Joomla API application is only available to Super Users in Joomla 4. The idea is that this is a new and very powerful (a bit too powerful, maybe?) way to access the site, therefore the Joomla project felt that it should only be available to Super Users.
Authentication for Super Users does not normally take place with a username and password but with a token[7]. You can find your token by editing your (Super User) profile in the back- or frontend of the site, as long as the User - Joomla API Token plugin is published. Authenticating with the token requires the API Authentication - Web Services Joomla Token plugin to be published as well. You pass the token in a standard Authentication HTTP header following RFC 6750 for bearer tokens:
Authorization: Bearer c2hhMjU2OjcwOjg5NWQ5MDM3MjA1NTY2MzM2OWFmYjc0YTg1MGFmYWFjNTAyMGYyZTU2MjQ3OTkxZjMwNDE1MTNkNDQ2NjhjN2Y=
Alternatively, the token can be sent in the custom HTTP header with the name X-Joomla-Token:
X-Joomla-Token: c2hhMjU2OjcwOjg5NWQ5MDM3MjA1NTY2MzM2OWFmYjc0YTg1MGFmYWFjNTAyMGYyZTU2MjQ3OTkxZjMwNDE1MTNkNDQ2NjhjN2Y=
Practically speaking, use the latter header as the Authorization header may not be passed correctly by the server.
![[Tip]](/media/com_docimport/admonition/tip.png) | Tip |
|---|---|
|
When making requests to the Joomla API remember to send the HTTP
header |
However, that is not the entire truth — nothing is ever that simple when you're talking authentication.
It is perfectly possible to use Joomla's API application for a
publicly accessible JSON API which does not perform any kind of
authentication! This is, in fact, what Joomla's Media Manager
(com_media) does. Counter-intuitively, the implementation
for public routes is set up in the plugin, not the API component part. We'll see how
in the web services plugin
section.
This also means that you can do custom authentication using your own authentication mechanism by setting the routes to be public and performing authentication and access control in your API controllers. This is not entirely safe and I don't recommend it but, you know, the option does exist if you really need it and you really know what you are doing.
[7] The token is much safer than using a username and password.
Joomla stores some of the information required to construct the
token in the database (the #__user_profiles
table) and some of it in the filesystem (the
$secret in
configuration.php). These two pieces of
information are cryptographically combined to create the token,
therefore SQL injections cannot be used to steal it. If it's
compromised it can be quickly disabled or reset. A better solution
would be a true OAuth2 flow but nobody has written the code for it
(yet?).