I think it’s because, as mentioned here the api is used “by the Panel to connect between the Vue frontend and the PHP backend.”
In that case it makes sense to require authentication because the api can be used to modify/delete content in the backend and not just read it (if I understand correctly how the api works)
I’m still waiting with my fingers crossed, hoping that we all missed something and that we get an official answer showing how to use the api for an SPA But yeah, unfortunately I don’t think so…
Trying to catch up with this thread: Do I understand right that your key issue at the moment is that the API always wants you to authenticate when you want to read data?
to reinstate the point that confused some of us who posted on this thread:
being logged-in, whether by actually logging in to the /panel or by sending the user credentials with an API call to kirby is fine. in eg, you want kirby to be a headless cms, and your custom app interacts with the data from kirby in order to change it as well.
the confusion imho arises when understanding REST APIs as also only a way to read the data from an endpoint and use it to make an interface with it. in this case, it feels out of place to have to be logged in to the panel. or rather, if there’s an option to login to kirby through an API call as well, then i think my problems are solved
i am up to open a ticket on github if it makes it easier to discuss!
I cannot guarantee this 100%, but in general we see the API as something for people to use as well. Not just internally for us to communicate between core and panel. So we wouldn’t just change the endpoints completely erratic but we have others in mind.
That said, I’d also go for content representations. Mainly also because that way you much clearer can define who gets which data.
Thats a fair point, my thought could be although the intention is good, it does make it harder for you as the core team to maintain if you need to make breaking changes.
I understand your thinking, but it offers nothing over content representations.
i think it comes down to have to make a content representation template for each template of the website, versus having a plugin that scans your entire /content folder and does the same thing in one go.
but as there are still some limitations with the mentioned plugin due to the new version of kirby, it might indeed be more future-proof to set up the content-representation template yourself…
i’m looking forward to some headless cms / spas use cases though
Second hurdle is that currently Kirby will drop any basic auth API request if it is done without HTTPS. There’s some discussions and pending updates to Kirby that will hopefully resolve this, but for now I am manually patching my Kirby 3 sites to allow non-HTTPS API requests with basic auth.
I create a specific API-only Kirby user in my site. You may need to give this API-specific user reduced permissions. Be aware that a crafty user could reverse the email/password from the API and log in to your panel with the API account if this is used client side.
You might create a Kirby role called api (see Kirby permissions documentation)
Once you’ve done that your API should work in development. Here’s a snippet of code for setting up the API in your JS app with axios (this will work on the client or server).
From there, consuming the API in javascript-world looks like:
const res = await api.get('/pages/home')
const page = res.data
I’m working on a Nuxt module for this that will make things simpler. There’s potential to improve the process and support lots of developers wanting to build with Nuxt and the Kirby API.