Road of JSON:API to Drupal 8 

  • Articles
  • November 26 2019
  • 3 min read
a zoomed image of a screen with codes in multiple colours


As an encoding scheme, JSON (JavaScript Object Notation) is designed to eliminate the need for an ad-hoc code that communicates with servers. It aims to improve the efficiency of the friction of requests that takes place between the clients and the servers. 

“The recent JSON:API 2.0 stable release on January 7th, 2019 marked the start of the module's move to Drupal core.”

How a client should request the resources to be fetched and how a server should respond to the requests is what the entity based JSON:API dictates. However, it does not take care of business tasks like registering a new account, logging in a user, or requesting a new password. 

Let’s decode the journey of JSON:API with Drupal in this blog!

an office setting

The Journey With Drupal

In 2015, Drupal 8 came with a REST API as an initial step towards API-first Drupal future, which improved with subsequent releases during the course of time. And a result, API-first Drupal Initiative led to the following ecosystem of project. Some of them are:

  • Contributed Modules: GraphQL, Simple OAuth, Open API, Consumers, RELAXed Web Services, Subrequests, etc.
  • Decoupled Distributions: Contenta CMS, Reservoir, and Headless Lightning

Out of these, JSON:API contributed module made its way to Drupal core!

Essentially created and maintained by Mateu Aguiló Bosch (e0ipso), the module was applauded by Dries Buytaert and he recommended the contributed module for Drupal 8 core in 2017. He sought Wim Leers and Gabe Sullice’s help in getting the module ready for it. 

28 months, 450 commits, 32 releases, and more than 5,500 test runs later, the JSON:API was committed to Drupal 8.7 branch. 

Important: The contributed module will be discontinued soon as the users of the JSON:API 8.x-2.x contributed module on Drupal 8.5 or 8.6 can now update to Drupal 8.7 without any hassles, according to Wim Leers. 

How JSON:API Module Works

JSON:API enables a great authoring experience by making the Drupal entities (blog posts, users, comments and more) available via a web service API. It generated URLs to access the entity types and bundles using HTTP methods. It facilitates and empowers you to: 

  • Fetch the selected entity fields only (for example, blog titles)
  • Include relationships (for example, blog authors) and avoid additional requests
  • Filter and sort the resource collections
  • Do the pagination of the resource collections

Here’s a JSON:API demo shared by Dries:


While many go forward with Core's REST module which allows for extreme configurability, JSON:API is a module that focuses on exposing Drupal's biggest strength - entities/data modeling only. REST is a complex and fragile module to handle and can be a task to work with for many. 

Relatively powerful for most use cases, JSON:API let you keep your process clarified. Internet giants like Google, Twitter, and Facebook work with JSON for it is self-descriptive, easy to understand and simple.

The Best Implementation in Existence

With the best of characteristics, the JSON:API module for Drupal and its implementation support the following features:

  • 1.0 specification out-of-the-box. 
  • Every Drupal entity (a resource object in JSON: API terminology) is automatically available through JSON:API. 
  • Existing access controls for both reading and writing are respected. 
  • Both translations and revisions of entities are made available. 
  • Querying entities (filtering resource collections in JSON:API terminology) is possible without any configuration (e.g. setting up a "Drupal View")

Given the Drupal’s decade-old Entity API, Field API, Access APIs, and the incredibly robust foundation, the data can be available via web service APIs. 

JSON:API related Modules

#1 The Key auth module which provides simple key-based authentication utilizes JSON:API as it requires no additional configuration and it becomes ideal for sites that expose consumer-facing APIs.  

#2 Using the normal Drupal database update system, the Lightning API allows for easy ingestion of content by other applications by providing a standard API with authentication and authorization. It utilizes JSON:API and OAuth2 standards via the JSON:API and Simple OAuth modules.

#3 You can also use JSON:API Extras to customize your API generated by the JSON:API module. You can override and grant limited configurations to the default zero-configuration implementation provided by the JSON:API module. The Extras module enables and disable resources, enhances field output and overwrites the path and name of a resource. 

JSON:API Security Considerations

The JSON:API has a quick resolve time for the security vulnerabilities of the stable modules on However, custom modules or non-stable contributed modules are at their own risk. Therefore, consider these security checks: 

  • When JSON:API's writing capabilities are enabled, make sure to audit Entity Access & Field Access on a Drupal site. 
  • You can disable specific resource types via a PHP API that you can implement in a custom module, or you use the JSON:API Extras contrib module, which provides a UI for disabled resource types and fields. 
  • You can enable JSOn:API’s read-only mode for mitigating the risks from hypothetical, as-yet-unknown bugs in preexisting validation constraints and write logic.
  • In order to reduce the effectiveness of automated attacks, you can change the base path for JSON:API.


JSON:API cannot perform actions that can be “CRUD”. It falls short in registering a new account, logging in or requesting a new password. These are not a part of JSON:API abilities. 


With the rise of web-based APIs, this data-interchange format is a better alternative than XML.  However, we can only wait for time to unveil what’s in store for JSON:API in 2020. 

Share your thoughts with us at [email protected]

Also, connect with us on our social media channels: FacebookLinkedIn, and Twitter for more such insights. 


Become our reader!

Get hand picked blogs directly in your inbox.
The subscriber's email address.