I’d tried two different users. One with role “admin” (I guess, he has permissions on all modules, right?) and one with a special created role, that has only all permissions on my module “Seiten”.
The question for me is: Can I authenticate the user in the first step with the username and password (/api/user/auth) and after that use the authentication to send other requests (GET and POST on /api/content/items/)?
The interesting code is:
$url = "https://cockpit.local/api/user/auth";
$authData = [
"user" => "username",
"password" => "secretpassword",
];
$auth = callAPI("POST", $url, $authData);
$getData = [
"api-key" => $auth->apiKey,
];
callAPI("GET", "https://cockpit.local/api/content/items/Seiten", $getData);
My Cockpit installation is a fresh 2.3.5, PHP 8.1.11 on a Mac (using MAMP Pro).
Calling e.g.
https://cockpit.local/api/content/items/Seiten?api-key=APIKEY
or https://cockpit.local/api/content/items/Seiten?token=APIKEY
also gives a simple
{"error":"Permission denied"}
EDIT: I tested the api-key in the REST API Playground (generated CURL):
curl -X GET "https://cockpit.local/api/content/items/Seiten" \
-H "api-key: API-xxx" \
That was working fine in the playground, but not the direct call above 