Authentication
How to authenticate requests to the Atlas CMS Public API using API keys.
Authentication
The Atlas Public API authenticates with an API key sent as an HTTP header:
X-API-Key: atlas_live_abc123xyzEvery request to /api/v1/public/* must include this header. The key identifies
your workspace and determines which content is accessible.
Admin API authentication
Logging in, managing users, and making changes to your workspace (content types, entries, pages, etc.) is done through the Atlas dashboard. Dashboard authentication (Bearer tokens, MFA, sessions) will be covered when the Admin API reference is added in a later phase.
Generating an API Key
- Open the Atlas dashboard.
- Go to Settings → API Keys.
- Click Create API Key, give it a name, and save.
- Copy the key — it is shown only once.
Sending the Key
Include X-API-Key on every Public API request:
curl "https://api.atlas.latellu.com/api/v1/public/entries?type=article" \
-H "X-API-Key: atlas_live_abc123xyz"const res = await fetch(
'https://api.atlas.latellu.com/api/v1/public/entries?type=article',
{
headers: {
'X-API-Key': process.env.ATLAS_API_KEY,
},
}
);
const { data } = await res.json();Key Scopes
Each API key carries two optional restrictions set at creation time:
| Scope | What it controls |
|---|---|
| Content type whitelist | Limits which content types the key can read. Leave empty to allow all. |
| Environment | production serves only published entries; preview also serves drafts (useful for staging sites). |
These restrictions are enforced server-side — requests that fall outside the key's
scope return a 403 error.
Key Security
- Treat an API key like a password. Never commit it to a public repository.
- For frontend apps, fetch content server-side (e.g., in a Next.js Server Component or API route) so the key is never exposed to the browser.
- Rotate a key immediately from the dashboard if you suspect it has been leaked.
- Create separate keys per environment (production vs. staging) so a compromised staging key cannot access production content.
Error Responses
| Status | Meaning |
|---|---|
401 Unauthorized | X-API-Key header is missing or empty. |
403 Forbidden | Key is valid but does not have access to the requested resource. |
{
"success": false,
"message": "Unauthorized",
"code": "UNAUTHORIZED",
"traceId": "req_a1b2c3d4"
}{
"success": false,
"message": "Access to this content type is not allowed for this API key",
"code": "FORBIDDEN",
"traceId": "req_e5f6g7h8"
}See Error Handling for the full response envelope format.