Authentication
API keys, request headers, and how to authenticate every request
Authenticate every Partners API request using an API key sent in the Authorization header.
Prerequisites:
- A Basker CMS user account
- Access to the CMS admin panel
Steps
1. Generate an API key
Sign in to the CMS admin panel. Click your avatar in the top-left corner to open your user profile. Scroll to the API Key section and click Generate New API Key. Copy the key immediately -- it is only displayed once in full.
Result: You have a key such as a1b2c3d4-e5f6-7890-abcd-ef1234567890.
2. Include the key in every request
Set the Authorization header with the prefix users API-Key followed by a space and then your key.
curl -s \
-H "Authorization: users API-Key a1b2c3d4-e5f6-7890-abcd-ef1234567890" \
-H "x-basker-tenant-slug: royal-opera-house" \
"https://api.basker.app/partners/2026-02/royal-opera-house/pages"Result: A 200 response with the requested data.
3. Verify authentication is working
If the key is valid, you receive the expected JSON response. If it is missing or invalid, the API returns:
{
"error": "Unauthorized",
"message": "Valid API key required"
}HTTP status: 401.
Header format
The header value must follow this exact format:
Authorization: users API-Key <your-api-key>| Component | Value | Notes |
|---|---|---|
| Scheme | users API-Key | Not Bearer. Not API-Key alone. The prefix users API-Key is required exactly as shown, including the space. |
| Key | Your generated key | The raw key string, not base64-encoded |
Correct:
Authorization: users API-Key a1b2c3d4-e5f6-7890-abcd-ef1234567890Incorrect:
Authorization: Bearer a1b2c3d4-e5f6-7890-abcd-ef1234567890
Authorization: API-Key a1b2c3d4-e5f6-7890-abcd-ef1234567890
Authorization: users api-key a1b2c3d4-e5f6-7890-abcd-ef1234567890How key verification works
When you generate a key, Basker stores a hashed version of it (using SHA-1 and SHA-256 with HMAC). The raw key is never stored. On each request, the API hashes the key you send and compares it against the stored hash. This means:
- Lost keys cannot be recovered. Generate a new one.
- Keys are safe at rest in the database.
- Both SHA-1 and SHA-256 hashes are checked for backward compatibility.
Public routes
The following routes do not require authentication:
| Route | Purpose |
|---|---|
GET /partners/openapi | OpenAPI specification |
GET /partners/docs | Swagger UI |
All other /partners/ routes require a valid API key.
Using API keys with the native Basker CMS API
API keys are only accepted by the Partners API at /partners/. If you send an Authorization: users API-Key header to the native Basker CMS REST API at /api/, the request is rejected with a 403 Forbidden response:
{
"error": "Forbidden",
"message": "API keys must use the Partners API at /partners/:version/:tenant/*"
}Result
When complete, you will have:
- An API key stored in your CMS user profile
- The ability to authenticate every Partners API request
Verify: Run the curl command from Step 2. You should receive a 200 response with JSON data.
Troubleshooting
"Unauthorized -- Valid API key required" The key is missing, expired, or malformed. Regenerate a key from your CMS profile and try again.
"Forbidden -- API keys must use the Partners API"
You sent the users API-Key header to /api/ instead of /partners/. Change the URL to use the Partners API path.
Related
- Tutorial: Make your first API call -- step-by-step first request
- Understanding multi-tenancy -- how tenant context works alongside authentication
- Error reference -- all error codes and responses