Drupal API Authentication Features Overview & Setup

Overview

Drupal’s API Authentication module offers key features to secure JSON API and REST APIs. It allows blocking or allowing specific IP addresses, restricting access to selected or custom API endpoints, and applying role-based controls to manage API access. Flood Control helps prevent brute-force attacks, and Token Revocation enables revoking previously issued access tokens.

Download

Schedule a Meeting

Using Composer
Using Drush
Manual Installation

Download the module:

composer require 'drupal/rest_api_authentication'
Navigate to Extend menu on your Drupal admin console and search for REST & JSON API Authentication using the search box.
Enable the module by checking the checkbox and click on the Install button.
You can configure the module at:

{BaseURL}/admin/config/people/rest_api_authentication/auth_settings

Install the module:
```
drush en drupal/rest_api_authentication
```
Clear the cache:

drush cr
You can configure the module at:

{BaseURL}/admin/config/people/rest_api_authentication/auth_settings

Note: Manual installation is supported only up to Drupal 7. For Drupal 8 and above, you must use Composer for installation and project management.

Navigate to Extend menu on your Drupal admin console and click on Install new module.
Install the Drupal miniOrange API Authentication module either by downloading the zip or from the URL of the package (tar/zip).
Click on Enable newly added modules.
Enable this module by checking the checkbox and click on install button.
You can configure the module at:

{BaseURL}/admin/config/people/rest_api_authentication/auth_settings

Role-Based Access:

The Role-Based Access setting in Drupal allows you to control access to specific API routes based on user roles. By configuring this option, you can define which roles are permitted to access certain endpoints while all other roles will be restricted. This ensures that sensitive APIs remain protected and accessible only to authorized users.

Navigate to the Advanced Settings tab of the module.
From the vertical tab, select Role-Based Access.

Choose the Drupal role you want to grant API access to, then enter the API routes that the selected role should have access to.
Only the chosen Drupal role will be able to access the specified APIs.
To add more Drupal roles, simply click the Add button below.

Once done, click on the Save All Advanced settings button.

Drupal API Authentication select Drupal Role

Restrict Custom APIs:

The Restrict Custom APIs feature allows admins to limit access to selected custom APIs. It keeps your APIs secure and ensures they are used safely.

Navigate to the Advanced Settings tab of the module.
From the vertical tab, select Restrict custom APIs.

Enter the custom API you want to restrict in the You can add the APIs here field. To add multiple APIs, enter each one on a new line.

Once done, click on the Save All Advanced settings button.

Drupal API Authentication Restrict Custom APIs

Allow & Restrict IP Addresses:

The Allow & Restrict IP Addresses feature improves API security by controlling access through IPs. You can allow only trusted IPs or block specific ones, ensuring that only authorized systems can use the APIs.

Navigate to the Advanced Settings tab of the module.
From the vertical tab, select Allow & Restrict IP Addresses.

Select whether you want to allow or block IP addresses.
Enter the IP address in the You can add the IP Addresses here field. To add multiple IP addresses, separate them with a semicolon (;).

Once done, click on the Save All Advanced settings button.

APIs to be Restricted:

The APIs to be Restricted feature lets you control access to specific APIs, including JSON APIs, RESTful APIs, and custom APIs. It enhances security by enforcing authentication for these APIs.

Navigate to the Advanced Settings tab of the module.
From the vertical tab, select APIs to be Restricted.

Enable the checkbox for the type of API you want to restrict. When making API requests, ensure that the request format for both JSON and REST APIs matches the format specified in the module.

Once done, click on the Save All Advanced settings button.

Drupal API Authentication APIs to be Restricted

Flood Control:

It restricts the number of failed authentication attempts allowed within a set time frame for each user account or IP address. Once the limit is reached, further login attempts are blocked for the configured time window.

Navigate to the Advanced Settings tab of the module.
From the vertical tab, select Flood Control.

Under Maximum Failed Attempts, set the number of failed login attempts allowed before an IP address is blocked.
In Time Window (seconds), set the duration for tracking failed login attempts.

Once done, click on the Save All Advanced settings button.

Token Revocation:

This endpoint is used to revoke an access token generated by the module. Send a POST request to the endpoint with the OAuth/Access Token authentication method enabled, and include the token to be revoked in the request body.

Navigate to the Advanced Settings tab of the module.
From the vertical tab, select Token Revocation.

Use the Revocation Endpoint:

 https://your-drupal-site/rest_api/revoke

Authorization: Bearer Token: If the token is valid, the API responds with a success message confirming that the token was revoked.

Send a POST request to the endpoint with the above parameters.
On successful revocation, you will receive a response:

{
  "status": "success",
  "message": "Token revoked successfully"
}

Once done, click on the Save All Advanced settings button.

Drupal API Authentication Token Revocation

If the configuration was not successful, please contact us at drupalsupport@xecurify.com. Kindly include a screenshot of the error window, and we will assist you in resolving the issue and guide you through the setup.

Single Sign On

SAML Service Provider

OAuth/OpenId Connect Client (SSO)

Social Login Social Sharing

Headless Single Sign-On

SAML Identity Provider

OAuth/OpenId Connect Server

Login using YourMembership

Auto Login and Register using JWT

Multi-Factor Authentication (MFA)

Two Factor Authentication

WooCommerce Password Reset Over OTP

OTP Over Phone Call

Bulk SMS/WhatsApp Notification

OTP Verification

Limit OTP Request

Receive OTP and Notifications on WhatsApp

LDAP/Active Directory Integrations

LDAP/Active Directory Integration for WordPress

WP Staff/Employee Search Directory for Active Directory

LDAP/AD Integration for Cloud & Shared Hosted WordPress

Forms Integration with Active Directory for WordPress

Office365 Integration

SharePoint WordPress

PowerBI WordPress Integration

Outlook and MS Teams Integration

Azure AD / Office 365 app Integrations

Azure AD / Entra ID WordPress Sync

Dynamics CRM 365 WordPress Integration

WooCommerce Integration

WooCommerce Product Sync

WooCommerce Integrator

Dynamics CRM 365 WordPress Integration

Salesforce WooCommerce Integrations

Decentralised ID

Digital ID Login

Web3 WordPress Authentication

WordPress Web3 Suite

WordPress NFT Marketplace

WordPress Smart Contracts

Add-Ons

Page and Post Restriction

LearnDash Integrator

WooCommerce Integrator

SSO Login Audit

Paid Membership Pro integrator

Media Restriction

BuddyPress Integrator

WordPress Discord Integrator

Guest User Login

SCIM User Provisioning

MemberPress Integrator

SSO Session Management

Attribute based redirection

Other Plugins

REST API Authentication

Custom API for WordPress

WordPress Online Proctoring for LMS

No Code Automation

Object Data Sync for Salesforce

WP User Sync Integration for Third Party Apps

WP User and Login Management

Management tool for Web Agency

Single Sign On

SAML SSO

Crowd SSO

Kerberos / NTLM SSO

Helpdesk SSO Integration

OAuth/OpenID SSO

Git Authentication

Advance SSO Option

Help & Support

User Management

SCIM Provisioning

WORD/PDF Exporter

Project Config Manager

Bulk User Management

Centralized License Manager

Custom User Profile

Help & Support