Authentication

The Joomla Webservices API supports various authentication methods.

API Token Authentication (Recommended)

The safest and simplest method is API Token authentication.

Using the token

Add the token to your request headers:

curl -X GET "https://yoursite.com/api/index.php/v1/content/articles" \
  -H "X-Joomla-Token: YOUR_API_TOKEN"

In PHP

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://yoursite.com/api/index.php/v1/content/articles');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'X-Joomla-Token: YOUR_API_TOKEN',
    'Content-Type: application/json'
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
$data = json_decode($response, true);
curl_close($ch);
?>

Basic Authentication

Basic authentication uses a username and password.

curl -X GET "https://yoursite.com/api/index.php/v1/content/articles" \
  -u "username:password"

Note

Basic authentication is less secure. Only use it over HTTPS and preferably only in development environments.

Super User Token

For administrative tasks, you can use a Super User token:

<?php
// Example for creating a user with Super User permissions
$headers = [
    'X-Joomla-Token: SUPER_USER_TOKEN',
    'Content-Type: application/json'
];
?>

Security Best Practices

Always use HTTPS in production environments
Token rotation: Renew tokens regularly
Minimal permissions: Give users only the permissions they need
Rate limiting: Implement rate limiting to prevent abuse
Token storage: Store tokens securely, never in version control

Next steps

Check the API Overview to see which endpoints are available.

API Token Authentication (Recommended)​

Using the token​

In PHP​

Basic Authentication​

Super User Token​

Security Best Practices​

Next steps​