Atlas CMS

Authentication

How to authenticate requests to the Atlas CMS Public API using API keys.

Authentication

The Atlas Public API authenticates with an API key sent as an HTTP header:

Request Header
X-API-Key: atlas_live_abc123xyz

Every request to /api/v1/public/* must include this header. The key identifies your workspace and determines which content is accessible.

Admin API authentication

Logging in, managing users, and making changes to your workspace (content types, entries, pages, etc.) is done through the Atlas dashboard. Dashboard authentication (Bearer tokens, MFA, sessions) will be covered when the Admin API reference is added in a later phase.

Generating an API Key

  1. Open the Atlas dashboard.
  2. Go to Settings → API Keys.
  3. Click Create API Key, give it a name, and save.
  4. Copy the key — it is shown only once.

Sending the Key

Include X-API-Key on every Public API request:

cURL
curl "https://api.atlas.latellu.com/api/v1/public/entries?type=article" \
  -H "X-API-Key: atlas_live_abc123xyz"
fetch (JavaScript)
const res = await fetch(
  'https://api.atlas.latellu.com/api/v1/public/entries?type=article',
  {
    headers: {
      'X-API-Key': process.env.ATLAS_API_KEY,
    },
  }
);
const { data } = await res.json();

Key Scopes

Each API key carries two optional restrictions set at creation time:

ScopeWhat it controls
Content type whitelistLimits which content types the key can read. Leave empty to allow all.
Environmentproduction serves only published entries; preview also serves drafts (useful for staging sites).

These restrictions are enforced server-side — requests that fall outside the key's scope return a 403 error.

Key Security

  • Treat an API key like a password. Never commit it to a public repository.
  • For frontend apps, fetch content server-side (e.g., in a Next.js Server Component or API route) so the key is never exposed to the browser.
  • Rotate a key immediately from the dashboard if you suspect it has been leaked.
  • Create separate keys per environment (production vs. staging) so a compromised staging key cannot access production content.

Error Responses

StatusMeaning
401 UnauthorizedX-API-Key header is missing or empty.
403 ForbiddenKey is valid but does not have access to the requested resource.
401 — Missing API key
{
  "success": false,
  "message": "Unauthorized",
  "code": "UNAUTHORIZED",
  "traceId": "req_a1b2c3d4"
}
403 — Key lacks access to this content type
{
  "success": false,
  "message": "Access to this content type is not allowed for this API key",
  "code": "FORBIDDEN",
  "traceId": "req_e5f6g7h8"
}

See Error Handling for the full response envelope format.

On this page