• Public
  • Public/Protected
  • All



Keys Functions

Requests Functions

Keys Functions

Const getManagementToken

  • getManagementToken(privateKey: string, opts: GetManagementTokenOptions): Promise<string>
  • Returns a Contentful Management API token from private key Management tokens are cached internally until until they expire. Pass reuseToken: false in the options for getManagementToken to disable this feature.

    NodeJS Contentful Apps need a management token to interact with Contentful's APIs. Creating a management token requires a key pair to be registered for the app, follow this link for more information on key pairs.

    Once a key pair is registered the getManagementToken function can be used to generate a valid token.

    const {getManagementToken} = require('contentful-node-apps-toolkit')
    getManagementToken(PRIVATE_KEY, {appId, spaceId, environmentId})
       .then( (token) => {
         console.log('Here is your token')


    • privateKey: string
    • opts: GetManagementTokenOptions

    Returns Promise<string>

Requests Functions

Const signRequest

  • signRequest(rawSecret: Secret, rawCanonicalRequest: CanonicalRequest, rawTimestamp?: Timestamp): SignedRequestHeaders
  • Given a secret, a canonical request and a timestamp, generates a signature. It can be used to verify canonical requests to assess authenticity of the sender and integrity of the payload.

    const {signRequest, ContentfulHeader} = require('@contentful/node-apps-toolkit')
    const {pick} = require('lodash')
    const {server} = require('./imaginary-server')
    const SECRET = process.env.SECRET
    server.post('/api/my-resources', (req, res) => {
      const incomingSignature = req.headers['x-contentful-signature']
      const incomingTimestamp = Number.parseInt(req.headers['x-contentful-timestamp'])
      const incomingSignedHeaders = req.headers['x-contentful-signed-headers']
      const now = Date.now()
      if (!incomingSignature) {
        res.send(400, 'Missing signature')
      if (now - incomingTimestamp > 1000) {
        res.send(408, 'Request too old')
      const signedHeaders = incomingSignedHeaders.split(',')
      const {[ContentfulHeader.Signature]: computedSignature} = signRequest(
          method: req.method,
          path: req.url,
          headers: pick(req.headers, signedHeaders),
          body: JSON.stringify(req.body)
      if (computedSignature !== incomingSignature) {
         res.send(403, 'Invalid signature')
      // rest of the code


    • rawSecret: Secret
    • rawCanonicalRequest: CanonicalRequest
    • Default value rawTimestamp: Timestamp = Date.now()

    Returns SignedRequestHeaders

Const verifyRequest

  • verifyRequest(rawSecret: Secret, rawCanonicalRequest: CanonicalRequest, rawTimeToLive?: TimeToLive): boolean
  • Given a secret verifies a CanonicalRequest. Throws when signature is older than rawTimeToLive seconds. Pass rawTimeToLive = 0 to disable TTL checks.

    const { verifyRequest } = require('@contentful/node-apps-toolkit')
    const { server } = require('./imaginary-server')
    const { makeCanonicalRequestFromImaginaryServerRequest } = require('./imaginary-utils')
    const SECRET = process.env.SECRET
    const REQUEST_TTL = Number.parseInt(process.env.REQUEST_TTL, 10)
    server.post('/api/my-resources', (req, res) => {
      const canonicalRequest = makeCanonicalRequestFromImaginaryServerRequest(req)
      try {
        const isVerifiedRequest = verifyRequest(SECRET, canonicalRequest, REQUEST_TTL)
        if (!isVerifiedRequest) {
          res.send(403, 'Invalid signature')
      } catch (_error) {
        res.send(422, 'Unable to verify request')
      // Rest of the code


    • rawSecret: Secret
    • rawCanonicalRequest: CanonicalRequest
    • Default value rawTimeToLive: TimeToLive = 30

    Returns boolean

Generated using TypeDoc