Logo C Curry CMS Documentation
Sign In Get Started

Authentication

How to create API tokens and authenticate requests to the CurryCMS API.

Authentication

The CurryCMS API uses bearer token authentication. You'll create a token in your account settings, then include it in the Authorization header of every API request.

Creating an API Token

  1. Sign in to CurryCMS
  2. Go to Settings → Developer
  3. Click Create Token
  4. Enter a name for your token (e.g., "Production LMS Integration")
  5. Select the Organization this token should access
  6. Click Create

Important: Copy your token immediately! For security, the full token is only shown once. If you lose it, you'll need to create a new one.

Using Your Token

Include the token in the Authorization header with the Bearer prefix:

curl -H "Authorization: Bearer YOUR_API_TOKEN" \
  https://your-domain.com/api/v1/curricula

Example with JavaScript

const response = await fetch('https://your-domain.com/api/v1/curricula', {
  headers: {
    'Authorization': 'Bearer YOUR_API_TOKEN',
    'Content-Type': 'application/json'
  }
});

const data = await response.json();

Example with Ruby

require 'net/http'
require 'json'

uri = URI('https://your-domain.com/api/v1/curricula')
request = Net::HTTP::Get.new(uri)
request['Authorization'] = 'Bearer YOUR_API_TOKEN'

response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  http.request(request)
end

data = JSON.parse(response.body)

Token Scoping

Each API token is scoped to a specific organization (account). This means:

  • The token can only access curricula belonging to that organization
  • You can create multiple tokens for different integrations
  • Revoking a token doesn't affect other tokens

Rate Limits

API requests are rate-limited per token. Current limits:

Metric Value
Requests per hour 1,000
Window Rolling 1-hour

Rate Limit Headers

Every API response includes rate limit information:

Header Description
X-RateLimit-Limit Maximum requests per hour (1000)
X-RateLimit-Remaining Requests remaining in current window
X-RateLimit-Reset Unix timestamp when the limit resets

Handling Rate Limits

When you exceed the rate limit, the API returns a 429 Too Many Requests response:

{
  "status": "error",
  "data": null,
  "meta": {},
  "errors": [
    {
      "code": "rate_limit_exceeded",
      "message": "Rate limit exceeded. Try again in 1234 seconds."
    }
  ]
}

Best practices:
- Cache responses where possible (the API supports ETags)
- Implement exponential backoff on 429 responses
- Monitor the X-RateLimit-Remaining header proactively

Error Responses

Invalid or Missing Token

{
  "status": "error",
  "data": null,
  "meta": {},
  "errors": [
    {
      "code": "unauthorized",
      "message": "Invalid or missing API key"
    }
  ]
}

HTTP Status: 401 Unauthorized

Expired Token

Tokens can optionally have an expiration date. Expired tokens return the same 401 response.

Managing Tokens

In Settings → Developer, you can:

  • View all your tokens and their last usage time
  • Edit token names
  • Delete tokens that are no longer needed

Deleting a token immediately invalidates it. Any applications using that token will receive 401 errors.

Security Best Practices

  1. Never commit tokens to source control — use environment variables
  2. Use descriptive names — makes it easy to identify and revoke compromised tokens
  3. Create separate tokens per integration — limits blast radius if one is compromised
  4. Rotate tokens periodically — especially for production integrations
  5. Monitor last-used timestamps — identify unused tokens for cleanup

Was this page helpful? |