Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). Varbase Media Header 9.2.1 Minor update available for module varbase_media_header (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Rest API Role Restrict

1 sites No security coverage
View on drupal.org

This module restricts access to Drupal's REST API, allowing only users with specific roles to access it. Site administrators can configure these allowed roles through a user interface.

REST Role Restrict provides a simple but powerful solution for controlling access to Drupal's REST API. It restricts all API access to only users with specific roles that site administrators can configure via a UI.

Installation

  1. Download the module with Composer.

  2. Enable the module.

    Use the Admin UI to enable the module.

  3. Ensure dependencies are enabled.

    These core modules must be active for REST to function:
    • rest
    • serialization
    • user

Post-Installation

  1. Go to the configuration page.

    Navigate to Configuration → Web Services → REST Role Restrict or go directly to:

    /admin/config/services/rest-role-restrict

  2. Select allowed roles.

    Use the checkboxes to choose which user roles should be granted access to Drupal’s REST API.

  3. Save the configuration.

    The settings will apply globally to all REST API requests.

  4. Control access to the settings page.

    Only users with the administer rest role restrict permission can configure which roles have API access.

  5. Disallowed users receive a structured error.

    When a user without an allowed role makes a REST API request, they will receive a JSON response like this:
    {
      "message": "Access to the REST API is restricted to specific roles. Contact your site administrator."
    }

Supporting this Module

If this module saves you time or adds value to your project, you can show your support in two ways:

  • Buy me a coffee to say thanks:
    https://buymeacoffee.com/tylerhastain
  • Want to contribute or sponsor development?
    Reach out directly if you're interested in helping improve or maintain the module — contributions, ideas, and support are always welcome!

Activity

Total releases
4
First release
Jun 2025
Latest release
11 months ago
Releases (12 mo)
2
Maintenance
Slowing

Release Timeline

Releases

Version Type Release date
1.2.0 Stable Jul 21, 2025
1.1.1 Stable Jul 18, 2025
1.0.1 Stable Jun 24, 2025
1.0.0 Stable Jun 20, 2025