We use cookies to make your viewing experience better. By accepting you consent, you agree to our Cookie policy
With the vital role security keys play in protecting Craft CMS sites, proper key generation and management is crucial. This post will guide you through creating keys in the control panel, setting permissions, integrating keys with APIs, and following security best practices. You’ll gain actionable insights for harnessing the power of keys while avoiding compromised access.
Login to Craft's control panel, navigate to Settings > My Account > API Keys and click "Create a new key". Set a name, expiration, and permissions. Click save to generate the key. Copy it immediately and store it securely. Keys enable API access, CLI usage, and control panel logins when passed during authentication.
Security keys are an integral part of the access control system in Craft CMS. They are unique credentials that allow developers and site administrators to gain entry to restricted areas of a Craft site, such as the control panel, APIs, and databases.
There are a few different types of security keys in Craft that serve important functions:
Access Tokens - These grant temporary access to the control panel and are used when logging in. The access token allows the user to bypass entering credentials each time during an active session.
API Keys - API keys are used by developers to authenticate API requests. The keys are passed along with the request to verify and authorize access to Craft APIs. This is more secure than using username/password directly in API calls.
Console Keys - Console keys are used with the Craft CLI (command line interface) to run console commands and tasks. The keys allow the execution of commands remotely.
User Session Tokens - These tokens identify user sessions and are used to persist logins across requests. They allow users to stay logged in to the control panel.
All of these different security keys function as a way to authenticate and authorize access. They provide an extra layer of protection beyond just a username and password. Keys help restrict access for sensitive areas in a Craft CMS install.
Security keys are incredibly important for any Craft CMS site. Without proper use of keys, the entire admin area and APIs would be wide open for anyone on the internet to access. Keys allow site owners to limit and control who can view and make changes to their site.
API keys in particular are vital for locking down API access. Developers should always use API keys rather than putting a password directly into API requests. API keys can be easily revoked if they are compromised without having to change the actual account password.
Access tokens are important for securing the control panel. Without limiting control panel access to properly authenticated users, the site could be open to malicious activities.
Console keys help restrict remote command execution to authorized developers. Leaving the CLI accessible without keys poses a risk of someone running dangerous commands.
Overall, security keys help prevent unauthorized changes or access to Craft sites. They allow site admins to properly limit access and are an essential part of a layered security approach. Proper use of keys will help keep the CMS, databases, APIs and other sensitive areas secure from intruders. For any production Craft site, use of security keys is a must.
There are a few ways security keys can be generated in Craft:
API Keys - API keys can be generated from the user settings within the control panel. Navigate to Settings → My Account → API Keys to create or delete API keys.
Access Tokens - Access tokens are generated automatically when a user logs into the control panel. A new token is created on each login.
Console Keys - Console keys can be created by running the craft generate/key command from the CLI. This will output a new console key.
User Session Tokens - User session tokens are generated automatically when a user session is created after logging into the control panel.
Plugin Keys - Some plugins like Craft ID may generate their own separate keys for API access. Check the plugin documentation for details.
When generating keys, be sure to store them securely. API and console keys should never be shared or committed to source control.
Here are some best practices to follow when using security keys with Craft CMS:
Only generate keys when needed and delete old unused keys.
Revoke compromised API keys immediately if there is a breach.
Use keys with short expiration times where applicable.
Never hardcode keys or share them publicly.
Store keys securely in env files or credential managers.
Rotate API keys periodically or when team members leave.
Limit key usage to its intended purpose (e.g. API vs CLI).
Following security key best practices is just as important as using keys in the first place. Keys provide protection only when properly managed throughout their lifecycle.
To access the administrative area of a Craft CMS site, you'll need to log into the control panel. This is where admins can manage all aspects of the site.
To reach the login page, navigate to yoursite.com/admin in your web browser. For local development sites, it would be localhost:8888/admin typically.
On the login page, you'll be prompted to enter your Craft user credentials. These consist of the username and password for an admin account. User permissions are set up by the site administrator, so you'll need an account with proper access.
Once you enter valid credentials and submit the form, you'll be signed into the control panel dashboard. This is the starting point for all admin tasks in Craft.
The control panel should only be accessible to admins working on the site. It's important to protect admin accounts with strong passwords. You can also set up two-factor authentication for added security on the login process.
The Craft CMS control panel provides an intuitive interface for managing all aspects of your site. The dashboard layout consists of a main content area and a vertical sidebar menu.
From the sidebar, you can navigate to the various settings pages using the icons or menu links.
Common areas you'll access include:
Settings - For configuring general CMS settings, users, fields, categories and more.
Users - Manage user accounts and permissions.
Plugins - Add and manage plugins. Be sure to keep plugins updated.
Utilities - Tools like updating Craft, caches, and task queues.
The main content area will update based on the section you navigate to from the sidebar. This allows you to view and update any part of the site.
The My Account link contains your user profile settings and a shortcut to API key generation.
The cog icon provides general admin settings like editing sitenames and updating email settings.
Spending time familiarizing yourself with the control panel layout will help you quickly navigate it to find what you need. The interface is designed to be intuitive for site administrators.
All user security keys like API keys can be managed from the My Account section. Here are the steps to find and access them:
Log into the Craft control panel if you aren't already.
Click on your user icon in the bottom left corner.
Select "My Account" from the dropdown menu.
On your account settings page, there is a "Security" section with "API Keys" and "Password" options.
Click on "API Keys" to view, create, or delete any keys associated with your user account.
You can set custom key names and expiration dates for more organized management.
Be sure to copy or save any new keys in a secure location.
Following these steps allows you to easily generate, revoke or renew security keys for your user profile. The same pages also allow you to update your account password for an added layer of protection.
Proper management of security keys is crucial for controlling access to vital Craft CMS features like the control panel and APIs. Keys should be treated securely and rotated periodically as a best practice.
Generating a brand new security key in Craft CMS is straightforward from the control panel. Here are the steps:
Login to the Craft control panel as an admin user.
Click your profile icon in the bottom left corner.
Choose "My Account" from the dropdown menu.
Select "API Keys" under the Security section.
Click the "Create a new key" button.
Enter a custom name for your key to make it identifiable.
Set an expiry date if you want the key to automatically expire.
Choose the key's permissions from the dropdown. Start restricted.
Click "Save" and the new key is generated.
Copy the key value immediately before leaving the page!
Following those steps will successfully create a new security key with your desired settings.
Make sure to copy down the actual key value in a secure place upon creation.
Once generated, you can pass the key for API authentication or CLI commands based on its permissions. Take care not to share or expose the key publicly.
When initially generating a security key in Craft, there are a few important settings you can configure:
Name - Set a custom name for the key to identify its purpose later. E.g. "My App API Key"
Expiry Date - An optional expiration date for the key if you want it to automatically expire.
Permissions - The permissions or scopes granted by the key based on its intended use case.
The permissions are a critical setting, as they define what the key holder can actually access.
For an API key, you may start with basic read permissions. For a CLI key, you may permit utility commands only. You can always modify permissions later on specific keys.
Additional settings like requiring a password and tying the key to specific IP addresses can further restrict a key. Enabling revocation lets you manually revoke keys if needed.
Taking time to properly configure key permissions and settings results in increased security.
Limiting a key's capabilities to only what's necessary reduces exposure.
Once generated, proper storage and management of keys is crucial. Here are some best practices:
Store keys encrypted using a password manager or vault. Never commit them to source control in plain text.
Only share keys with trusted individuals, ideally using a secure channel.
Revoke compromised keys immediately, don't just delete them from storage.
Develop a consistent naming convention for keys to identify their purpose.
Back up and version control key files to retain access if keys are lost.
Audit and rotate API keys periodically to reduce stale keys.
Remove keys from storage when no longer needed or after expiration.
With robust storage procedures and lifecycle management, security keys can enhance your site security. Make certain to handle keys as securely as passwords. Proper care of keys will prevent unauthorized access to sensitive Craft CMS capabilities.
One of the primary uses for security keys in Craft CMS is to authenticate API requests. The Craft APIs allow you to programmatically interact with the CMS and content.
To make an API call, the request must include a valid security key. Here is an example cURL request to return an entry, passing a key:
curl -H 'Authorization: Bearer API_KEY' https://example.com/api/entrie...
Without that API_KEY value, the request would be rejected. The key functions as an authentication token to verify the caller has permission to use the API.
Keys can be included as URL parameters, headers, or JSON web tokens depending on the API method. Including the key validates the integrity of the request.
For improved security over basic auth, Craft provides SDKs and libraries in PHP, JavaScript,
Python and more. These handle passing the security key automatically when making API calls.
Proper use of keys for API access prevents malicious use of the APIs. Limiting permissions on the keys restricts what accounts can do via API.
Programmatically accessing Craft's APIs enables automation of many CMS tasks and site management processes.
For example, you could build a script that uses the Entries API to automatically create new blog posts from an external database. The script passes a security key to authenticate and post the entries.
Or you may have a web hook that listens for new users in your CRM. When it triggers, your integration uses the Users API and an API key to automatically create those CRM contacts as Craft CMS users.
API examples like these allow complete automation of content updates, user management, and more. The keys securely grant the external programs access without compromising credentials.
Site administrators could even build a custom control panel that uses APIs and keys to offer tailored management workflows. The possibilities are vast when tapping into Craft via APIs.
Security keys help enable more secure API integrations between Craft and third-party platforms.
For example, you can use keys to connect Craft content APIs to a mobile app backend for delivery to apps. Or integrate the Commerce APIs with a payment gateway that syncs order data.
Third-party examples include:
Syncing user analytics from Google Analytics into Craft using their APIs and an API key.
Pushing Craft entry data into MailChimp for email campaigns via their APIs.
Integration with Slack APIs to send administrative notifications from Craft.
In each case, the API keys provide authorized access to both sides - Craft and the external service.
Taking advantage of third-party APIs along with Craft's own robust set unlocks tons of possibilities for integrated sites with automated processes and workflows. API keys act as the gatekeeper, only allowing trusted applications.
Proper use of Craft CMS security keys for internal and external API usage provides peace of
mind that your integrations are executing in a secure and controlled manner. Limiting scopes through key permissions is crucial for least-privilege API access.
Andy has scaled multiple businesses and is a big believer in Craft CMS as a tool that benefits both Designer, Developer and Client.