REST UI
Provides a user interface to manage REST resources in Drupal.
restui
Install
composer require 'drupal/restui:8.x-1.22'
composer require 'drupal/restui:8.x-1.21'
Overview
REST UI is an administrative interface module that allows site administrators to manage REST resources provided by Drupal core's REST module. Without this module, REST resources must be configured through YAML configuration files or Drush commands.
The module provides a centralized administration page where administrators can view all available REST resources, enable or disable them, and configure their settings including supported HTTP methods, accepted request formats (JSON, XML, etc.), and authentication providers (cookie, basic_auth, OAuth, etc.).
REST UI supports two configuration granularities: resource-level (applying the same formats and authentication to all methods) and method-level (configuring each HTTP method separately). This flexibility allows fine-grained control over how REST resources are exposed to API consumers.
Features
- Lists all available REST resources in Drupal organized by enabled/disabled status
- Enable and disable REST resources through a point-and-click interface
- Configure supported HTTP methods (GET, POST, PUT, PATCH, DELETE) for each resource
- Configure accepted request formats (JSON, XML, HAL+JSON, etc.) per resource or per method
- Configure authentication providers (cookie, basic_auth, OAuth, etc.) per resource or per method
- Two configuration granularity options: resource-level or method-level configuration
- Shows resource paths and available methods at a glance
- Displays current configuration for enabled resources (methods, formats, authentication)
- Quick links to related permissions configuration
- Visual indication of disabled methods within enabled resources using strikethrough formatting
Use Cases
Setting up a headless Drupal installation
When building a decoupled or headless Drupal site where the frontend is built with React, Vue, Angular, or another JavaScript framework, REST UI provides an easy way to enable and configure the REST resources needed to expose content. Enable the entity:node resource with GET method, JSON format, and appropriate authentication to allow the frontend to fetch content.
Building a mobile application backend
For mobile apps that need to read and write content to Drupal, use REST UI to enable entity resources with full CRUD operations (GET, POST, PATCH, DELETE). Configure appropriate authentication (basic_auth for development, OAuth for production) and formats (JSON for most mobile frameworks).
Enabling specific API endpoints for third-party integrations
When integrating with external services that need access to specific Drupal data, use REST UI to selectively enable only the required resources. For example, enable entity:user resource with only GET method for a directory service, or entity:taxonomy_term for a tagging service.
Configuring different authentication per method
Use method-level granularity when you need different security configurations per operation. For example, allow anonymous GET requests with cookie authentication for public content reading, but require OAuth authentication for POST/PATCH/DELETE operations that modify content.
Testing REST API during development
During development, REST UI provides a quick way to enable/disable resources and change configurations without editing YAML files. Developers can easily test different format and authentication combinations through the UI before finalizing the configuration for deployment.
Managing REST resources across environments
While REST UI is primarily a configuration interface, the configurations it creates are stored as config entities (rest.resource.* configuration) that can be exported and deployed across environments using Drupal's configuration management system. This allows initial setup via UI and consistent deployment via config sync.
Tips
- Resource-level granularity is recommended for most use cases as it's simpler to manage and aligns with RESTful best practices
- When enabling authentication providers, ensure the corresponding authentication module is installed and configured (e.g., basic_auth module for HTTP Basic Authentication)
- Config entity resources (like Views, Content Types, etc.) only support GET operations and are displayed as read-only in the interface
- After changing REST resource configuration, clear the cache to ensure routes are rebuilt
- Use the Permissions link to quickly configure which roles can access specific REST resources
- The module requires at least one method, one format, and one authentication provider to be selected when saving a resource configuration
- For production sites, prefer cookie authentication for browser-based clients and OAuth or JWT for machine-to-machine communication
Technical Details
Admin Pages 2
/admin/config/services/rest
Main administration page for viewing and managing all REST resources. Displays two sections: Enabled and Disabled resources. Each resource shows its name, URI path(s), supported HTTP methods, and current configuration. Enabled resources display their configured methods, formats, and authentication providers. Resources for config entities are marked as read-only since they only support GET operations.
/admin/config/services/rest/resource/{resource_id}/edit
Configuration form for enabling and configuring a specific REST resource. Allows selection of granularity (resource or method level) and configuration of HTTP methods, request formats, and authentication providers.
Permissions 1
Hooks 1
hook_help
Provides contextual help text for REST UI pages explaining the purpose of each administrative page.
Troubleshooting 6
Ensure that modules providing REST resource plugins are installed. Core modules like Node, User, Comment, etc., each provide their own entity REST resources when the REST module is enabled.
Clear the Drupal cache after making changes to REST resource configurations. The REST module caches route definitions that need to be rebuilt.
Ensure the authentication provider module is installed and enabled. For example, basic_auth option requires the Basic Auth module to be enabled.
Ensure the serialization format module is installed. Additional formats beyond JSON require modules like HAL (for hal_json) or custom serialization modules.
Check that the user role has the necessary permissions for the REST resource. Visit the Permissions page (linked from REST UI) and ensure roles have 'Access GET on [resource] resource' and similar permissions.
Config entity resources (like Views, Block types, etc.) are read-only in the REST API due to core limitations. These resources only support GET operations as indicated by the '(read-only)' label in REST UI.
Security Notes 6
- Always use HTTPS in production when enabling REST resources, especially with basic_auth authentication which transmits credentials in request headers
- Carefully review which authentication providers to enable - cookie authentication may expose resources to CSRF attacks if not properly configured
- The 'administer rest resources' permission is powerful and should only be granted to trusted administrator roles
- Consider using method-level granularity to apply stricter authentication to write operations (POST, PATCH, DELETE) while allowing more permissive access to read operations (GET)
- Regularly audit enabled REST resources to ensure only necessary endpoints are exposed
- When using basic_auth, ensure the Basic Auth module is properly configured and consider rate limiting to prevent brute force attacks