Site Settings 

The following settings are configurable per site in the TYPO3 backend under Site Management → Sites → Settings in the TCA_API category.

General 

tca_api.enabled

tca_api.enabled
Type
bool
Default
true

Enable or disable the API for this site. When disabled, the middleware passes all requests through without processing.

tca_api.apiPrefix

tca_api.apiPrefix
Type
string
Default
/_api/

URL path prefix for all API endpoints. Must start and end with a slash. The API is inactive until this is set.

tca_api.defaultItemsPerPage

tca_api.defaultItemsPerPage
Type
int
Default
20

Default number of items returned per page in collection responses. Can be overridden per resource in the resource definition.

tca_api.allowedResources

tca_api.allowedResources
Type
string
Default
(empty — all)

Comma-separated list of resource names to expose on this site. Leave empty to allow all registered resources.

tca_api.debugMode

tca_api.debugMode
Type
bool
Default
false

Return verbose error details in API responses. Disable on production sites.

API specification 

tca_api.openApiExposed

tca_api.openApiExposed
Type
string
Default
PUBLIC

Who may access the OpenAPI JSON spec at {apiPrefix}openapi.json. Allowed values: PUBLIC, FE_USER, BE_USER, BE_ADMIN, NONE.

tca_api.apiSpecTitle

tca_api.apiSpecTitle
Type
string
Default
TCA_API

Title shown in the OpenAPI spec info block and Swagger UI header.

tca_api.apiSpecDescription

tca_api.apiSpecDescription
Type
string
Default
(empty)

Short description shown in the OpenAPI spec info block and Swagger UI.

tca_api.apiSpecVersion

tca_api.apiSpecVersion
Type
string
Default
1.0.0

Version string for the OpenAPI spec info block.

tca_api.swaggerUiEnabled

tca_api.swaggerUiEnabled
Type
string
Default
PUBLIC

Who may access the interactive Swagger UI at {apiPrefix}swagger-ui. Allowed values: PUBLIC, FE_USER, BE_USER, BE_ADMIN, NONE.

CORS 

tca_api.corsEnabled

tca_api.corsEnabled
Type
bool
Default
false

Add CORS headers to API responses.

tca_api.corsOrigin

tca_api.corsOrigin
Type
string
Default
*

Value for the Access-Control-Allow-Origin header. Use * to allow all origins.

tca_api.corsAllowCredentials

tca_api.corsAllowCredentials
Type
bool
Default
false

When enabled, adds Access-Control-Allow-Credentials: true to CORS responses. Required when the frontend sends cookies or Authorization headers with cross-origin requests. Note: browsers reject credentialed requests when corsOrigin is * — set it to the specific origin instead.