Building Applications for Headless Sitefinity

Working with Sitefinity WebServices is easy and convenient, whether you wish to build applications using the headless features of Sitefinity through Windows Apps (UWP, WPF or the new Project Reunion from Microsoft), external web sites using Angular, React or Vue, Xamarin Mobile apps, NativeScript apps, Objective C, Swift and more.

It is a much less verbose API than the WCF one still currently available in the product and used in the old backend UX.

But before you go ahead and try the ODATA based REST API on a website or a mobile app, you might want to take it for quick ride around the block. There are many tools that will allow you to test REST API calls including FiddlerSoapUIPostMan and many others.

In this blog, we will take a look at what it would take to get PostMan to work with the Sitefinity ODATA based REST API.

First you might want to download the Free PostMan app from  here

Then, we will need to set the Authentication in Sitefinity, here’s how:

    - Head on over to the backend of your Sitefinity instance and choose Administration >>Settings >>Advanced >>Authentication

    - Expand the "SecurityTokenService" node and the "IdentityServer" node.

    - Under "Clients", create a new client, call it whatever you want, in my case here, I called it "linoapp".

    - Set the ClientID, enable it, and pick "ResourceOwner" for the Client Flow.

For now, set the "Allow access to all scopes" to true. (You can tighten this up later on for production).

settings and clients

Nothing else needs to change for the rest of the configuration items on that page. Save the changes.

Expand the newly created node for "linoapp" and set the "client secret" to whatever you would like. I chose "secretmagic" as my secret value.

client secrets

Now let's head to PostMan and try to invoke an API to retrieve all the NewsItems in the Sitefinity instance.

sitefinity api testing

Unfortunately, you will get an error message stating: "The current user is not allowed access" when you issue a GET command with the URL "http://<your site>/api/default/newsitems” as you can see above.

The reason is the fact that Web Services is set to be accessible by administrators only as the default.  You can change that in the backend to allow everyone access or just authenticated users if you wish.

So first, let's fix the problem the easy way, head to the backend and change the accessibility to "Everyone"

who can access the document

Now if we go back to PostMan and execute the GET command again as is, we will get all News Items in Sitefinity back in JSON format.



To test it with authentication, let's change it back to "Administrators Only" or "Authenticated Users." Now we have to request a TOKEN from Sitefinity first to establish an authorization mechanism. 

To do that in PostMan, issue a POST command first to the following URL http://<yoursite>/Sitefinity/Authenticate/OpenID/Connect/Token passing in the following keys:


- username

- password

- grant_type

- scope




post command

You will get a response that includes the Access Token value, expires in 3600 seconds and the type of the token is "Bearer."

So now if I want to issue a GET on the NewsItems that is protected by Administrators only or authenticated Users only, I would go back to the GET command in PostMan and issue the command. However, this time I will need to pass the Access Token in the header with the "Bearer" string before it, as you can see in the image below



Executing this GET with the authorization Token within 1 hour of issuance will result in the entire JSON packet of all NewsItems to be returned.

I hope this post helps you get started with testing your Sitefinity REST APIs. Now you can take this info and use it on web sites using javascript, windows apps using C# or VB, or mobile apps using swift, java or Objective C.

Happy Coding!

About Author

staff at
Our marketing team is always on the prowl for useful facts and internet tidbits. Be sure to check our blog often for all of our updates and posts!

Featured Posts