By default, all data in the system is off limits for unauthenticated users. To gain access to protected data, you must include an access token with every request, or configure permissions for the public role.
# Authenticating with Tokens
In order to authenticate to the API, you have to pass an authentication token. The token can be passed in two ways:
# Query Parameter
Pass the token in the
access_token query parameter:
# Authorization Header
Pass the token in the Authorization header:
Authorization: Bearer <token>
Authorization: Bearer eyJh...KmUk
# Types of Tokens
There are two types of tokens that can be used to authenticate within Directus:
# Temporary Token (JWT)
These are the tokens as returned by the login endpoint/mutation. These
tokens have a relatively short expiration time, and are thus the most secure option to use. The tokens are returned with
refresh_token that can be used to retrieve a new access token via the
# Static Token
Each user can have one static token that will never expire. This is useful for server-to-server communication, but is
also less secure than the JWT token. This token is saved to the database (
directus_users.token) in plain-text.
Retrieving a Token
Looking for how to get an access token? See the login endpoint/mutation.