Authentication

How API authentication works — tokens, headers, and security.

Authentication Methods

SiteDash supports two authentication methods for API access:

1. X-SiteDash-Token Header (Preferred)

curl -H "X-SiteDash-Token: YOUR_TOKEN_HERE" \
  https://preview.sitedash.ddev.site/api/v1/release/current

2. Authorization Bearer Header (Standard)

curl -H "Authorization: Bearer YOUR_TOKEN_HERE" \
  https://preview.sitedash.ddev.site/api/v1/release/current

If both headers are present, X-SiteDash-Token takes precedence.

Token Management

API tokens are managed by administrators through the admin panel at /admin/sitedash-preview/tokens. Each token has:

  • Label: A human-readable name for the token
  • Status: Active or disabled
  • Created date: When the token was generated

Security Best Practices

  • Never commit tokens to version control
  • Use environment variables to store tokens
  • Rotate tokens periodically
  • Disable tokens immediately if compromised
  • Use HTTPS for all API requests

Unauthenticated Endpoints

The following endpoints do not require authentication:

  • GET /api/v1/release/current — Latest published release
  • GET /api/v1/release/{version} — Specific release by version