JavaScript and REST

This page aims to outline how to use JavaScript to communicate with Drupal 8's RESTful services. It is broken into sections per entity type. It outlines which HTTP method to use (GET, POST, PATCH, or DELETE), the Drupal path to use, which Content-type and Accept headers should be set, and what response can be expected from the server.

We can use cookie based authentication. Any calls using POST, PATCH or DELETE need an X-CSRF-Token header attached to the request, using a token value that can be retrieved via the Drupal site at: rest/session/token

RESTful best practices for Drupal

The RESTful module achieves a practical RESTful for Drupal following best practices.


The following also describes the difference between other modules such as RestWs and Services Entity.

Services Security Updates

This page is used as documentation for Services Security. Its unfortunate that issues come up that affect Services but running the latest version of Services should help mitigate issues.

If you see an issue and think it is security related please follow the instructions here

Dependency Injection for a Form

Forms that require a Drupal service or a custom service should access the service using dependency injection.

An example form (similar to the form used in Form API in Drupal 8) uses the 'current_user' service to get the uid of the current user. File contents of /modules/example/src/Form/ExampleForm.php if the module is in /modules/example:

GET on content entities

Follow these steps to expose resources to GET requests:

  1. Add the configuration
  2. Set permissions
  3. Test with a GET request


  1. Make sure that REST module is enabled.
  2. Copy all of the files in your active config directory to your staging directory
  3. Make the needed changes to your rest.settings.yml file as shown below
  4. Go to admin/config/development/configuration to sync the configuration
  5. Clear caches
# Example configuration for enabling REST resources.
  # Enable the node resource.
        - json
        - basic_auth
  # Enable the taxonomy term resource.
        - json
        - basic_auth

Setting permissions

Altering existing services, providing dynamic services

There are several advantages of the service container. Since each service is accessed / instantiated using a single string key and has a defined interface, it can be swapped out with a different implementation. To modify existing services, implement a class extending ServiceProviderBase and the alter() method.

For example, define my_module/src/MyModuleServiceProvider.php for a module named my_module:


Subscribe with RSS Subscribe to RSS - services