Security · AMP

Securing Liferay Headless REST APIs with OAuth2

Ankita Varani · Published Apr 20, 2026 · 10 min read · View full version

Quick answer

Secure Liferay headless APIs by navigating to System Settings > OAuth2 Administration. Register client applications, choose appropriate authorization flows (Authorization Code or Client Credentials), define specific scopes, and force OAuth2 tokens on all endpoints.

Registering Client Applications

Navigate to OAuth2 Administration in the control panel. Create a profile, set client names, and specify redirection URIs. Liferay will generate a Client ID and Client Secret, which your custom applications will use to request access tokens.

How Do You Define Security Scopes for Headless Access?

Direct Answer: Assign specific permission scopes to client profiles, restricting client operations to specific entities (like read-only blogs access).

Apply the principle of least privilege. Under Scopes, select only the services your app requires (e.g., read access on headless-delivery/structured-content). This ensures a compromised API key cannot access directory schemas or configuration tools.

For additional optimization strategies, visit our detailed Liferay DXP developer blog listing. For configuration specifications, consult the official Liferay Documentation portal.

Applying granular scopes prevents compromised API clients from accessing sensitive user tables or executing admin configurations.

Authenticating API Queries

Clients request tokens by sending credentials to Liferay's token endpoint. Include the returned token in authorization headers for REST or GraphQL queries:

# Authenticating REST requests using cURL
curl -H "Authorization: Bearer [access_token]" https://liferayx.com/o/headless-delivery/v1.0/sites/20124/structured-contents

Frequently asked questions

What OAuth2 flows does Liferay support?

Liferay DXP 7.4 supports Authorization Code (for web apps), Client Credentials (for backend microservices), and Resource Owner Password Credentials (for trusted legacy systems).

How do we refresh tokens?

Enable refresh tokens in the OAuth2 profile settings. Clients can request fresh access tokens without requiring users to log in again.

Read the full article, with table of contents, comparison table, and author bio →