How to authenticate against kirby's api correctly

Hi all,

I’d like to use the kirby api endpoint /api/pages/:id/files from a controller.
I’m logged in as an admin and have the following in my controller. However the response I get still says: Unauthenticated. What am I missing here?

$token = csrf();

$result = Remote::get(site()->url() . '/api/pages' . $page->uid() . '/files', [
  'headers' => [
    'X-CSRF: ' . $token


You have to send your authentication data with the request. You remote request doesn’t know anything about you being logged in.

But isn’t that what I’m doing by passing the token to the header?

What is your use case for making an API call here?

I think token auth only works on the frontend.

I would like to do an ajax request from the frontend to get all files under the current page.
I know I could go with the option of creating a template.json.php template and get the data from there but I thought why not using the API if I’m logged into the frontend anyway. Seems much cleaner to me.

The example above with the controller was just for testing purposes to see how the data will be returned. I’d use javascript on the frontend to do the ajax call.

Does that make sense?

On the client side the CSRF token authentication should work, when you are logged in, like in the example here: Authentication | Kirby CMS

Ok I think I missed that bit in the docs. I guess the controller is not considered as the frontend anymore?

Anyway I have it working now :slight_smile:

Thanks @pixelijn

No, PHP code is server side.

Yes I know, I meant the code above does work for me when I chuck it into a template instead…
Anyway :slight_smile: