API Protection
You can protect both /llms.txt and the .md suffix endpoints with
an API key. This is useful when you want to:
- Restrict access to your own chatbots or RAG systems
- Prevent external scraping of structured content
- Control who can access your LLM-optimized content
Setting Up API Protection
- Go to Site Management > Settings in the TYPO3 Backend.
- Find the LLMs-Text category.
- Enter your API key in the API Key for Format Access field.
- Save and clear all caches.
Tip
Generate a secure API key with:
php -r "echo bin2hex(random_bytes(32)) . PHP_EOL;"
Copied!
Or in DDEV:
ddev exec php -r "echo bin2hex(random_bytes(32)) . PHP_EOL;"
Copied!
Authenticating Requests
Pass the API key via HTTP header (recommended):
# Access llms.txt
curl -H "X-LLM-API-Key: your-secret-key" https://example.com/llms.txt
# Access page as Markdown
curl -H "X-LLM-API-Key: your-secret-key" https://example.com/about.md
Copied!
Or via query parameter:
https://example.com/llms.txt?api_key=your-secret-key
https://example.com/about.md?api_key=your-secret-key
Copied!
Warning
Using query parameters exposes the API key in server logs and browser history. Prefer the HTTP header method for production use.
Error Response
Invalid or missing API key returns HTTP 401 Unauthorized with a JSON body:
{
"error": "Unauthorized",
"message": "Valid API key required. Provide via X-LLM-API-Key header or api_key query parameter."
}
Copied!
Integration Examples
n8n Integration
In n8n HTTP Request node, add the header:
| Name | Value |
|---|---|
X-LLM-API-Key | your-secret-key |
Python Integration
import requests
headers = {
"X-LLM-API-Key": "your-secret-key"
}
# Get llms.txt
response = requests.get("https://example.com/llms.txt", headers=headers)
print(response.text)
# Get page as Markdown
response = requests.get("https://example.com/about.md", headers=headers)
print(response.text)
Copied!
JavaScript/Node.js Integration
const response = await fetch("https://example.com/llms.txt", {
headers: {
"X-LLM-API-Key": "your-secret-key"
}
});
const content = await response.text();
console.log(content);
Copied!
cURL Integration
# Store API key in environment variable
export LLM_API_KEY="your-secret-key"
# Access llms.txt
curl -H "X-LLM-API-Key: $LLM_API_KEY" https://example.com/llms.txt
# Access multiple pages
for page in about services contact; do
curl -H "X-LLM-API-Key: $LLM_API_KEY" "https://example.com/${page}.md" > "${page}.md"
done
Copied!
Behavior When Enabled
When API key protection is enabled:
- llms.txt requires authentication
- All .md endpoints require authentication
- The HTML header link (
<link rel="alternate">) is automatically hidden - The llms.txt file includes authentication instructions
Disabling API Protection
To make endpoints publicly accessible again:
- Go to Site Management > Settings
- Clear the API Key for Format Access field
- Save and clear all caches
The header link will automatically reappear and endpoints will be publicly accessible.