Token Based Authentication - How to use it in Joomla 4


Joomla 4 has tons of new features and in this blog post we’ll explore two of those in this blog post. To be specific, Password less authentication (A.K.A Token based authentication) and the Joomla Web services API.

If you are not familiar with the Joomla 4 API yet, please read our previous blog post here

Password less authentication in a nutshell

Password less authentication is something that most of us use every day without noticing the technology behind it. For instance, whenever you click those "Login with Google" or "Login with Facebook" buttons, they do the very same thing. Where the website using the button doesn't get your password but get's a token that provides information on your account. This is a very secure way of granting access to 3rd parties since you can very easily revoke the token at anytime, thus stopping any unauthorized access.

Well, the good news is, Joomla 4 has this functionality inbuilt and can be used for variety of functions including but not limited to accessing site content, managing users, managing global config just to name a few. The beauty of Joomla makes sure 3rd party extensions are also able to leverage this functionality and provide API for the same. In a few years(months) down the road, you may see developers giving you the ability to manage your Joomla site from a mobile or a desktop app, thus completely eliminating logging into the Joomla backend on any kind of content updates at all.

How to use Token Based Authentication in Joomla 4

Joomla 4 offers (by the core of it) the ability to access pretty much all your site’s content using web services.

So, to access all articles of your website, you’d do a request to the following url:


Providing a super admin username/password using Basic Authentication.

However, you can also access the same content without a username and password and using an Oauth Token. Dev notes on how this feature works here.

In this demo we are only going to be accessing articles but this works for creating articles, deleting articles and much more.

I am going to use Postman for this demo but you can follow along and use any tool of your choice. Bearer Token Auth is pretty standard as well, you can read more about it here.

First we need to make sure Token Authentication is enabled in Joomla and get our Token.

Login to your Joomla 4 Backend and Navigate to System >> Plugins.

Search for Token

Enable both the Token plugins if they are not already enabled.

Now, let’s get our token that will be used for authentication.

Go to Users >> Manage and select the user you want to use for Authentication (I’ll be selecting the admin user of the website).

On the user editing screen go to the Joomla API Token Tab (Note: if you don’t see the API Token tab, you likely did not enable the User - Token plugin, go back to the Plugin Manager and make sure the plugin is enabled), You’ll see a notice similar to the following message.

Just click save on the top right and the token for your user will be created (this is only needed the first time).

You’ll see a screen similar to the below screenshot:

Copy the token and let’s go back to the postman.

Create a new request, it’s going to be a Get Request and in the Authorization Tab, Select Bearer Token and paste your token in the input box.

Hit Send and you shall have a list of articles on your Joomla site:

The obvious benefit of using token authentication is you are not giving out your actual password and can disable/reset the token anytime (thus disabling the access to the application using the token) you wish.

One user can only have one token at any given point of time.

Hard to follow the above tutorial? Here is a video tutorial of the same.

Rate this blog entry:

Related Posts