Authenticating REST requests

Every REST request needs to be authenticated. You can select the Authentication type of the REST service in Settings -> Integration -> REST.

Basic authentication

With Basic authentication, you need to specify the username and password through the Authorization line in the header of every REST request. The header line consists of:

  • The authentication type (Basic)
  • The username and password connected by a colon (username:password), encoded using the Base64 algorithm

For example, the following header line uses RestClient:MyPassword as the authentication credentials:

Authorization: Basic UmVzdENsaWVudDpNeVBhc3N3b3Jk

Once authenticated, the system allows the REST request to perform operations depending on the specified user’s privilege level and permissions.

Important: We strongly recommend using SSL to protect the authentication credentials in the request headers. See also: Configuring SSL

Note: The Basic authentication type of the Kentico REST service does not require Basic Authentication to be enabled in IIS. Keep Basic Authentication disabled in IIS as described in Configuring the REST service.

Forms authentication

When using forms authentication of requests, the system identifies users based on the active session and the authentication ticket stored in the .ASPXFORMSAUTH cookie. You can use forms authentication to create a web interface with a login page, and allow users to send REST requests through their browser.

You cannot use forms authentication for the Kentico REST service if you have Windows authentication enabled in IIS.

Forms authentication can pose a security threat, because logged in users may unknowingly click links that send malicious REST requests to your site. To protect yourself from such attacks, take the following steps:

  1. Immediately after creating the session (i.e. first authentication), set up an authentication token by sending a POST request to the following URL:

     https://<your project URL>/rest/settoken?username=<your user name>&password=<your password>&token=<your authentication token>

    The authentication token can be an arbitrary string of characters, for example a GUID.

  2. Include the authentication token in the HTTP header of every REST request:

     Cms-Session-Token: <your authentication token>

Hash parameter authentication

You can authenticate individual REST requests by adding a hash parameter to the URL. The hash parameter allows you to prepare REST requests that can be executed by unauthenticated users. Requests that contain the hash parameter ignore the other types of authentication — the value of the Authentication type setting does not affect hash authentication.


  • Only works for GET requests (read only data retrieval)
  • You cannot use hash parameter authentication for /all object retrieval requests (~/rest/<object type>/all). This is an intentional security limitation that protects global data in the system.

Warning: Only use hash parameter authentication for loading data that you want to make publicly available. REST requests with hash authentication can be executed by anyone who obtains the URL (for example by intercepting the web request).

To get the authentication hash for REST requests:

  1. Prepare the URL of your REST request in advance.
  2. Open the Settings application.
  3. Select the Integration -> REST category.
  4. Click Generate authentication hash.
  5. Enter the full absolute URL of the REST request, including the protocol, website domain name, virtual directory, REST path, and query string parameters. For example:
  6. Click Authenticate.

The system adds the authentication hash parameter to the URL. You can copy the URL and use it to perform the REST request without any other type of authentication.