Հայոց Русский

Extra Block Types (EBT) - New Layout Builder experience❗

Extra Block Types (EBT) - styled, customizable block types: Slideshows, Tabs, Cards, Accordions and many others. Built-in settings for background, DOM Box, javascript plugins. Experience the future of layout building today.

Demo EBT modules Download EBT modules

❗Extra Paragraph Types (EPT) - New Paragraphs experience

Extra Paragraph Types (EPT) - analogical paragraph based set of modules.

Demo EPT modules Download EPT modules

Scroll
  1. Home
  2. JsonDrop API Documentation
  3. JSON:API backend

What JSON:API DOESN'T do

09/04/2025, by Ivan

JsonDrop API Documentation

JSON:API is entirely entity-based. That is, it can't process business rules or do things which can't be thought of as "CRUD". Business logic, like registering a new account, logging in a user, or requesting a new password are not part of JSON:API. Many of these are already provided by Drupal core.

A non-exhaustive list of common needs and solutions are presented below.

Path of interest are:

  • /session/token
  • /user/register
  • /user/login
  • /user/login_status
  • /user/logout

Getting a session token

Get a token

curl \
  --request GET http://drupal.d8/session/token

A token is returned as a plain text (not JSON) in the response body.

Use tokens

Apart from a session token when you login you get a csrf_token and a logout_token. You will need the logout_token to log a user out from system (see below). The csrf_token or the session token is necessary for mutable requests (e.g., POST, PATCH and DELETE).

User registration

While JSON:API as provided by core does not support new user registrations, you may install the JSON:API User Resources module to add user related JSON:API endpoints, including endpoints for registration, resetting password, and updating password.

Alternatively, you may use the core REST module. In order to allow users to register an account via REST, the user_registration REST resource must be enabled (see the REST UI example below).

curl \
--header "Content-Type: application/json" \
--header "X-CSRF-Token: 57sTS-KS7UoYAWAPyzt0iJmo300CFct3jdKyWM-UiiQ" \
--request POST "https://drupal.d9/user/register?_format=json" \
--data '{"name": {"value": "thename123"}, "pass": {"value": "thepass"}, "mail": {"value": "someone@example.com"}}'

Use the session token value with the X-CSRF-Token header. A successful response should contain some user field values, including the UUID of the newly created user:

{
   "uuid" : [ { "value" : "3e75b757-831e-4bf7-bbb6-25b8c50c7ac0" } ]
}

Also note that the response doesn't have "Set-Cookie" headers, even if visitors are allowed to create an account by themselves. So, if no approval or confirmation required, you can log a user in after successful registration using same name and pass values.

User login

curl \
  --header "Content-type: application/json" \
  -c cookie.txt \
  --request POST "http://drupal.d8/user/login?_format=json" \
  --data '{"name":"admin", "pass":"admin"}'

the -c cookie.txt tells curl to save a cookie. Your response should look something like this:

{
   "csrf_token" : "57sTS-KS7UoYAWAPyzt0iJmo300CFct3jdKyWM-UiiQ",
   "logout_token" : "zzRaD8ZgLT1TkG804mYpVVTyM-pgoDm4h9XZ9JHSoCw",
   "current_user" : {
      "roles" : [
         "authenticated",
         "administrator"
      ],
      "name" : "admin",
      "uid" : "1"
   }
}

User status

curl \
  --header "Content-type: application/json" \
  -b cookie.txt \
  --request GET "http://drupal.d8/user/login_status?_format=json"

-b cookie.txt tells curl to send (not save) the cookie from the last request. If you're logged in, this will return 1 in the response body in  plain text format (not JSON), otherwise 0.

User logout

curl \
  --header "Content-type: application/json" \
  -b cookie.txt \
  --request POST "http://drupal.d8/user/logout?_format=json&token=zzRaD8ZgLT1TkG804mYpVVTyM-pgoDm4h9XZ9JHSoCw"

Will log the user authenticated by cookie.txt out. Use the logout_token value with the token query parameter.

Authentication Mechanisms

The example above is just one of many available authentication mechanisms. You should explore which mechanism is best for your needs.

A Drupal OAuth module is available as simple_oauth.

References

See these change records for more information:

For authentication, you may also consider using other authentication protocols.

If you decided to go a "cookie" way with your javascript application on front-end and Drupal on back-end, a browser can do all the cookie storage work for you. Just don't forget that if your JS app and Drupal site have different domain names, you have to allow browsers to store users' session cookies by changing the SameSite cookie parameter to "None". For this, edit your services.yml file and add the following parameter:

parameters:
  session.storage.options:
    cookie_samesite: None

REST UI

The REST UI contrib module allows configuring resources of the core's REST module. Let's take a look how we can enable user registration with this module.

  1. After installing and enabling the REST UI module go to the configuration page at /admin/config/services/rest and enable the "User registration" resource. Edit the resource and enable the POST method, JSON format and Cookie provider for example. Swithing a granularity to "method" also allows you to separate formats and providers per request method.
  2. Then, grant anonymous users a permission to "Access POST on User registration resource" at /admin/people/permissions/module/rest .
  3. Finally, ensure that visitors are able to create an account at /admin/config/people/accounts .

 

Article from Drupal Documentation.