Acquia CMS

Setting up API consumers

For information about how to quickly set up an API consumer for a Next.js app, see Acquia CMS Next.js starter kit.

Consumers are API clients that connect to Drupal to interact with RESTful APIs, including the native JSON:API. You can find a list of consumers on the Headless dashboard:

Consumers are made up of the following components:



Client ID

The identity of the consumer.


A user in the CMS the consumer can masquerade as.


The permissions the consumer has when interacting with the CMS. For example, which parts of the data model they can read and write to.

Consumer secret key

A secret key that becomes the OAuth connection credentials when combined with the UUID.

OAuth token

A token issued to the consumer for making API requests.

Creating a new consumer

  1. On the Headless dashboard, in the API Keys section, click Create new consumer.

    The Consumers module displays the consumer creation form.

  2. On the Add consumer page, configure the following fields that establish the general purposes of API connectivity:

    1. In Label, enter a user-friendly name that the consumer will use.

      This makes it easier to find the consumer and its purpose, when required.

    2. In User, enter the name of the user who the consumer masquerades as, to perform an action such as publishing or deleting content.

    3. In Scopes, select the appropriate checkboxes based on the Drupal roles that the consumer will inherit.

      This is called Scope because it refers to the OAuth standard for scopes.

    4. In Secret, enter the consumer secret key.

      This is an encrypted value that only the consumer knows to ensure it can authenticate and obtain an OAuth token.

  1. Click Save.

    The system displays the consumer on the Headless dashboard.


The consumer secret is stored as an encrypted value inside the CMS and cannot be retrieved. You must store this value securely with the consumer application.

In the Headless dashboard, you see the Client ID that was generated for your consumer. Client ID and Secret are the credentials required for OAuth authentication.