Playing with the Joomla Web Services (API) - part 3
[ this article is part of a series ]
5. How to launch any of the scripts automatically
Given the fact that our scripts here are independent of Joomla
- we can put them on our own website
- or even on another server (if we trust its owner of course, since being able to see the Token means being a Super User)
Lauching any of the scripts can be simply done:
- by opening the corresponding URL in a browser
- either directly
- either for example thanks to a nice button in the backend
- by calling this URL in any piece of code (PHP or other)
- by setting up a Cron job calling this URL
- either via the tool provided by your host (free)
- either via some online tool providing cron tasks (in general paid)
- by setting up a Task Scheduler in Joomla
So obviously it means that you can automate the execution of the creation / update of your Joomla Articles at any time interval.
5.1. Example 1: via a nice button in the backend
In Joomla 4 it has become even easier than before to create a Custom HTML Module in the backend.
Take advantage of this feature to create a nice interface to your Users.
5.2. Example 2: via Joomla Task Scheduler
The Task Scheduler is a new feature introduced with Joomla 4.
- Go to System > Schedule Tasks
- Click on the New button
- Create a Task of Type “GET Request”
- Configure it (put an absolute link for “Request URL”. Example: https://www.MYDOMAINNAME.com/api-blabla.php)
6. Be the only one who can run your scripts
If somebody know that you have a script called for example
api-test.php, this person could flood your websites with request on that url.
A typical way to avoir that is on Apache servers is to create a htpsswd, meaning you have to
- add a few lines in your .htaccess
- add a .htpsswd file, to which your .htaccess lines will refer with the correct path (for exemple
When a htpsswd is enabled, you get a popup asking for the defined username & password before accessing.
You can typically
- either use your Host tools to generate such an .htaccess rule
- or use an online generator (like https://hostingcanada.org/htpasswd-generator)
But we need to be more specific because
- we only want to block our scripts, not our whole website.
- we only want to block our scripts if they are launched in the browser, not if they are launched by the website itself
- either via some code
- either via the Task Scheduler
Let us first show a good example of such an .htaccess rule:
<FilesMatch "^api*"> AuthType Basic AuthBasicProvider file AuthUserFile /YOUR_PATH/public_html/.htpasswd AuthName secure <RequireAny> Require valid-user Require ip 127.0.0.1 220.127.116.11 </RequireAny> </FilesMatch>
7. Change the API Token if needed
If you have any reason to think that your API key is not private any more (like me after having shared this presentation) then simply Edit the User in question, go to the Joomla API Token tab and click on Reset
- the old Token is revoked
- a new key is displayed, which you can now paste in all your scripts
If a script having a wrong or revoked Token is called then it will display the following error message: “forbidden”
7.1. How did restrict the rule to our scripts
Let’s suppose that all my scripts filenames start with
Then I want to have this htpsswd popup asking only for the files starting with
This is why in the snippet of .htaccess below we have
7.2. How did we allow the scripts if launched by the website itself
See the line
Require ip 127.0.0.1 18.104.22.168
- 127.0.0.1 corresponds to the localhost. In some cases it is enough
- in my case though, when launching my script with Joomla’s Task Scheduler, my script was blocked: I also had to allow explicitely the IP of my server
- Q: So how did I find the IP address of my server?
- A: Simply by checking the IP address given for “A Record” for my Domain Name, with any online tool like https://www.ns-lookup.io/
7.3. More information
For more information about this kind of .htaccess rules, see https://httpd.apache.org/docs/2.4/upgrading.html