Authentication | Directus Docs

While the Public role can be configured to make data available without authentication, anything that is not public requires a user to authenticate their requests.

Each user can have a single Static Tokens that does not expire (though can be regenerated). Standard and Session Tokens are returned after a user logs in, are short lived, and need refreshing.

Requests can be authenticated in the following ways:

Add the following header: Authorization: Bearer <token>.

You do not need to set anything. The directus_session_token is used automatically.

Append the following query parameter: ?access_token=<token>.

Exercise caution when using query parameters for authentication
Using a query parameter for authentication can lead to it being revealed or logged. If possible, use another method.

Learn more about using authentication tokens and cookies.

Get once-a-month release notes & real‑world code tips...no fluff. 🐰

Seamless SSO

Seamless SSO is a setup to allow logging in without the user ever seeing Directus' login page.

Filter Rules

Learn about filter rules in Directus - available operators, filter syntax, relational fields, dynamic variables, logical operators, and functions parameters. Understand how to build complex filters for permissions, validations, and automations.