There are two kinds of credential: user accounts (with a JWT from login) and API keys. Both are sent as Authorization: Bearer <credential>.

Users and roles

Users authenticate at /admin/login and receive a 12-hour JWT.
RoleCan do
adminEverything, including managing content types, users, keys, and webhooks.
editorRead and mutate any entry.
authorRead any entry; mutate only entries they created.
Admins create more users at POST /admin/users.

API keys

API keys are for programmatic access, typically from a frontend. There are two roles:
  • read — read published entries (and non-public types).
  • write — read drafts and create, update, publish, and delete entries.
An admin creates keys at POST /admin/api-keys. The raw key is returned exactly once and stored only as a hash — save it immediately.

Self-service read keys

If the deployment has KEYGEN_PASSWORD set, anyone with that password can mint a read-only key at /keygen — a small web form, no admin login required. Write keys always require an admin.
The /keygen password is a shared secret. Anyone who has it can create read keys, so treat it accordingly and rotate it if it leaks. It can never create write keys.

Access summary

CallerRead publishedRead draftsMutate
anonymouspublic types onlynono
read keyall typesnono
write keyall typesyesany entry
author userall typesyesown entries
editor / admin userall typesyesany entry