Authentication

Learn how to authenticate requests to the API.

When your project is granted API access, you’ll receive a static API token. Use this token to authenticate with the API.

Directus supports several authentication methods:

Access Token in the Authorization Header (recommended)

Set an Authorization header with Bearer <your static token> for the most secure and reliable authentication. This method is applied automatically when using the Directus SDK.

Basic Auth

After receiving your static token, you can update your account, including setting a password. You can then use basic authentication with your credentials to request a temporary access token, which must be refreshed when it expires.

It’s not recommended to use basic auth for your API requests

Access Token as Query Parameter

You can authenticate by adding an access_token query parameter containing your static token to any endpoint. Use this only when setting request headers is not possible.

It’s not recommended to use authentication via query parameters for your API requests, as it increases the risk of exposing your token.

Token rotation

You can rotate your static token at any time by updating the token property in your account. This field accepts any string, but a secure value is recommended. Use at least 32 randomly generated bytes, encoded as Base64-URL or hex, to ensure strong entropy and avoid accidental collisions. Short or predictable values increase the risk of brute-force attacks and weaken account security.

curl PATCH 'https://api.v2.onderwijsloket.com/users/me' \
--header 'Authorization: YOUR_SECRET_TOKEN' \
--data '{
    "token": "my-new-static-token"
}'

Lost your token?

If your token is lost, contact us for a new one. Because the previous token value cannot be retrieved, we must rotate the token when issuing a replacement.