I have…
- Read the following guideline: https://docs.squidex.io/01-getting-started/installation/troubleshooting-and-support. I understand that my support request might get deleted if I do not follow the guideline.
- Used code blocks with ``` to format my code examples like JSON or logs properly.
I’m submitting a…
- Regression (a behavior that stopped working in a new release)
- Bug report
- Performance issue
- Documentation issue or request
Current behavior
Hello,
I’m trying to manage API access permissions but running into some issues.
In Settings > Clients, I have a “default” client with the “Owner” role and “Allow anonymous access” enabled.
If I access https://www.mysite.com/api/content/myapp/newsletter in the browser, it returns a JSON with the list of subscribed emails.
I want this endpoint to be accessible only to specific users (ideally via token authentication), and not publicly available.
I created a role (“Test_API”) with only contents.*.read and assets.read permissions, and with “Hide API” checked. I also set this as the default app role, but the endpoint still returns data when accessed directly in the browser.
Is there a way to block public access entirely and require authentication (e.g., via Postman) to access this API?
Thanks.
Expected behavior
Minimal reproduction of the problem
Environment
App Name:
- Self hosted with docker
- Self hosted with IIS
- Self hosted with other version
- Cloud version
Version: [VERSION]
Browser:
- Chrome (desktop)
- Chrome (Android)
- Chrome (iOS)
- Firefox
- Safari (desktop)
- Safari (iOS)
- IE
- Edge
Others: