← Back to Notes on Kirby CMS

Users and permissions

Published Mar 24, 2026

API route permissions for users without Panel access

Users with Panel access disabled (via permissions.access.panel: false in the user blueprint) generally don’t have access to routes under /api/, except for a few endpoints related to /api/auth to allow them to log in and out.

Kirby doesn’t seem to support per-route permissions (this suggestion may be related). To allow specific API endpoints for non-Panel users, we need to roll our own check:

'api' => [
    'routes' => [
        'pattern' => 'my-route',
        'method' => 'GET',
        'auth' => false,
        'action' => function() {
            // Note: You can be fancy and return HTTP 401 / 403 instead.
            if (!kirby()->user() || !csrf(kirby()->request()->csrf())) {
                return null;
            }
            return $your_thing;
        }
    ]
]

Recipes

• Panel shortcuts for the front-end