Commit 2d5b37de authored by totten's avatar totten
Browse files

api/v3/rest.md - Update to reflect #19727

parent 671d1e3a
......@@ -52,7 +52,7 @@ As we proceed through this chapter, we will consider different API features. Whe
| APIv4 | **Yes** | No | No |
| Authentication: AuthX | **Yes** (v5.36+) | No | No |
| Authentication: Session-Cookie | **Yes** | No | No |
| Authentication: Traditional Keys | Work-in-progress | **Yes** | **Yes** |
| Authentication: Traditional Keys | **Yes** (v5.47+) | **Yes** | **Yes** |
| CMS: Backdrop | **Yes** | **Yes** | No |
| CMS: Drupal 7 | **Yes** | **Yes** | No |
| CMS: Drupal 8+ | **Yes** | Unofficial, Deprecated | No |
......@@ -87,11 +87,6 @@ You may choose among a handful of end-point URLs. Expand the sections below for
Stylisitcally, this is similar to [APIv4 REST](../v4/rest.md) end-point.
!!! warning "HTTP Header "`X-Requested-With: XMLHttpRequest`""
When using this end-point, one must pass an extra HTTP header (`X-Requested-With: XMLHttpRequest`).
<!-- Hopefully, this will be obviated for AuthX-style requests within a few cycles. -->
??? example "APIv3 REST via standalone script: `extern/rest.php`"
......@@ -174,6 +169,30 @@ Every request for APIv3 should include authentication details. These may be subm
same for all traditional REST users. The [API key](https://docs.civicrm.org/sysadmin/en/latest/setup/api-keys/) uniquely identifies the
user or agent making the request.
Support for traditional REST keys is limited to specific end-points and versions:
| End-Point URL | Support Traditional REST Keys? |
| -- | -- |
| `civicrm/ajax/rest` | Yes (v5.47+). This is __only__ supported on `civicrm/ajax/rest`; not by any other `civicrm/ajax/*` end-points. |
| `extern/rest.php` | Yes (All versions) |
| WP REST | Yes (v5.25+) |
## X-Requested-With
APIv3 REST requests should generally set this HTTP header:
```
X-Requested-With: XMLHttpRequest
```
This marks the HTTP request as a web-service-call. The `X-Requested-With` header was originally introduced to support CiviCRM
web-pages that use Javascript and `XMLHttpRequest`. However, specifying `X-Requested-With` can be helpful for other clients as well.
This header mitigates the risk of [Cross-Site Request Forgery (CSRF)](../../security/csrf.md). It is required for some (but not all)
APIv3 REST clients. Clients *should* proactively set the header to ensure broader compatibility with more deployment scenarios.
For more complete details (*eg when header is required; when it isn't*), see [CSRF: APIv3/APIv4 REST](../../security/csrf.md#rest).
## API Data
As you may recall, APIv3 is built around the triplet [(`$entity`, `$action`, `$params`)](usage.md), e.g.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment