Authentication
When we grant your project API access, you receive a static API token. Use it for every authenticated Directus request.
Send a Bearer token
Send your static token in the Authorization header. This is the recommended, most reliable, and most secure method. The Directus SDK does this automatically when configured with staticToken.
curl 'https://content.onderwijsloket.com/items/articles?limit=1' \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN'
Understand alternative methods
You can update your account with a password and use basic authentication to obtain a temporary access token. That token expires and must be refreshed, so we do not recommend it for ordinary API requests.
You can also supply the static token as an access_token query parameter. Use this only when headers are impossible: URLs are often stored in browser history, logs, analytics, and proxy records.
Rotate a static token
Rotate a token by updating the token property on your own user record. Use at least 32 cryptographically random bytes, encoded as Base64 URL or hexadecimal, to avoid collisions and brute-forceable values.
curl --request PATCH 'https://content.onderwijsloket.com/users/me' \
--header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"token": "my-new-static-token"
}'
Replace a lost token
We cannot retrieve an existing token value. Contact us for a replacement; issuing one rotates the lost token.
Keep in touch with the latest
Sign up for our monthly deep dives - straight to your inbox.