api.yaml

enabled: true
route: /api
version_prefix: v1

auth:
  api_keys_enabled: true
  jwt_enabled: true
  # The JWT signing secret is auto-generated and stored, outside this config
  # tree, in user/config/plugins/api-private.php (a non-committed PHP file,
  # mirroring Grav core's security-private.php). It is intentionally not set here.
  jwt_algorithm: HS256
  jwt_expiry: 3600
  jwt_refresh_expiry: 604800
  session_enabled: true

cors:
  enabled: true
  # Cross-origin browser access is OFF by default (same-origin only). To allow a
  # browser app on another origin, list its exact scheme+host here, e.g.
  # 'https://app.example.com'. '*' is intentionally NOT the default: the API
  # serves authenticated data, and a wildcard lets any website read responses
  # for any token it can supply. A configured '*' is honored only for
  # unauthenticated endpoints.
  origins: []
  methods:
    - GET
    - POST
    - PATCH
    - DELETE
    - OPTIONS
  headers:
    - Content-Type
    - Authorization
    - X-API-Key
    - X-API-Token
    - X-Grav-Environment
    - If-Match
    - If-None-Match
  expose_headers:
    - ETag
    - X-Invalidates
    - X-RateLimit-Limit
    - X-RateLimit-Remaining
    - X-RateLimit-Reset
  max_age: 86400
  credentials: false

rate_limit:
  enabled: true
  requests: 120
  window: 60
  storage: file

flex_backend:
  pages: true
  accounts: true

pagination:
  default_per_page: 20
  max_per_page: 1000

invitations:
  # Default lifetime of a user invite link, in seconds (default 7 days).
  expiration: 604800

popularity:
  enabled: true
  # Skip page views from logged-in admins so your own testing/demo visits
  # don't skew the stats.
  exclude_admin: true
  # Visitor IPs or CIDR ranges to exclude from tracking, e.g.
  # '203.0.113.7' or '203.0.113.0/24' (IPv4 and IPv6 both supported).
  exclude_ips: []
  history:
    daily: 30
    monthly: 12
    visitors: 20
  ignore:
    - '/test*'
    - '/modular'