Authentication & Headers
Overview
The Pragma CMS API acts as a bridge for both internal system operations (admin panel, builders) and external headless consumption.
This includes usage from:
- Web frontends
- Mobile applications
- External services
- Server-side integrations
Security and authentication rules depend heavily on the endpoint you are targeting.
Public Endpoints (Headless)
Public endpoints (like /api/content) are strictly Read-Only (GET methods) and only return published content.
These endpoints are open and automatically set Access-Control-Allow-Origin: * to allow cross-origin requests from external frontend applications.
Required Headers:
There are no strict authentication headers required for public endpoints, but specifying the Content-Type is recommended.
GET /api/content?action=list&type=blog
Accept: application/jsonAdmin & Protected Endpoints
All other endpoints (entries.php, forms.php, media.php, etc.) require active user authentication and specific permission checks (e.g., UserManager::userHasPermission('entry_update')).
1. Session Authentication
Protected APIs rely on the standard PHP session ($_SESSION['logged_user']). You must be logged into the CMS for the browser to pass the correct session cookie.
2. The X-Requested-With Header
To prevent the CMS core from accidentally caching API responses as HTML or triggering unnecessary asset loading, all AJAX/API calls must include this header:
X-Requested-With: XMLHttpRequest3. CSRF Protection (POST/PUT/DELETE) For any endpoint that modifies data, Pragma CMS enforces strict CSRF protection. You must pass the session's CSRF token either in the headers or the POST payload.
POST /api/taxonomies_terms?type=category
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: 3b9c...a1f2
Content-Type: application/json(Note: If you use the built-in JS apiRequest() utility, headers and CSRF tokens are handled automatically).