I’m tasked to provide the excellent Piranha CMS through an API that other UI projects will consume. Piranha docs say it’s designed to run “headless” for this purpose, but not many details on how.

I’ve got the Piranha.WebApi project running, and it serves JSON content of pages as I expect. Currently, it works only when I access it from a browser, because any call to the WebApi prompts for credentials. Once I sign in, the WebApi calls succeed and I can make multiple calls from the same browser.

Now I need to know how other UI code projects can authenticate when calling the WebApi so they can get results.

I’ve reviewed the links I could find; no good hints yet:

  • https://piranhacms.org/blog/techniques-for-securing-pages
  • https://github.com/PiranhaCMS/piranha.core/issues/841
  • https://github.com/PiranhaCMS/piranha.core/issues/546

Any suggestions will be very helpful!

The package Piranha.WebApi uses claims to verify the caller, but how these claims actually get assigned to the user is up to you. The default security implementation Piranha.AspNetCore.Identity by default configures cookie-based security, but if you’re only using your application in a headless manner another security setup could probably be beneficial.

More information on how to configure the Identity module can be found here:


Another option is to just provide your own Api instead of using the Piranha.WebApi package. If you take a look at the code for the Api-package here you can see that there’s absolutely no logic in these endpoints, they just call the registered Piranha.IApi object.


Best regards