Key Authentication Module for Drupal

Published May 14, 2021
Updated May 20, 2021
By Simon

This module is necessary if you intend to expose an API to post to from a decoupled front-end. The module creates an API key for each user whose role has permission to use. The API key can be used in a request to your Drupal site instead of using the username and password basic authentication.


Actively maintained Yes, a small user base of ~1000 at the time of writing.
Requires No extra requirements.
Libraries No library.

Install either using the UI or composer.


There are some basic configuration settings that can be found where you would expect to find them; in the web services section of the configuration section.

Manage > Configuration > Web services > Key authentication

Once installed you can configure the module to generate the authentication keys on user creation automatically. However, if you install the module you will need to visit your profile page to generate a key.

Other required settings set by default, you can change them if you like, are:

  • Key-length: set to 32 by default.
  • Parameter name: api-key by default.
  • Detection method: you can use either header or query.

The module page has a good rundown of all the features but I will point out a few things below.


If you want other user roles other than the administrator role to have key authentication you can give each role Use key authentication permissions.

drupal api key authentication module permissions settings


Each user can generate a key, delete a key, and regenerate a key on their profile page if they have permission.

Thought Piece
I am unsure of all the use cases that would require all users to have or need keys but it is good to know the functionality is built in. However a few idea that come to mind are:

  1. You build a decoupled secure back-end for writers to post from a mobile app. This would be a likely use case. However, it would unlikely you would need to give reset access and the app would need to have a secure login process so the ability to post was restricted.
  2. Maybe a social network where users can post from an app to their profile and can reset the key is necessary to stop abuse. Again allowing users to post to the site using a key that is exposed would open abuse so other measures of checking and authentication would need to be in place.

Overall it is a basic module with a specific use case; it makes it super easy to mask username and passwords with a key to access the site for API calls.

I have written about using the key authentication module in a mini-series about using Vue.js and Drupal. The article series looks at making POST requests from a Vue.js front-end. The series as well as covering what you need to do in Drupal covers Vue.js and JSON:API in a practical use case.

If you are interested in using Drupal be sure to sign up for the newsletter as there will be weekly Drupal tips and tricks dropping in that with other mainly front-end development insights and technology reviews.

Thanks for reading.