Authentication
Two surfaces, two auth shapes:
- Read API. Public reads use a workspace-scoped public key in the URL. Authenticated reads (drafts, scheduled-but-unpublished) use a Bearer token.
- Write API. Bearer token only. Tokens are workspace-scoped and role-scoped.
REST shape
Read a published piece
GET /v1/sites/{site_id}/pieces/{slug}
Authorization: Bearer ${TOKEN} // optional for public reads
200 OK
{
"type": "blog-post",
"slug": "edge-native-cms",
"title": "Why edge-native CMS",
"lede": "...",
"body_html": "...",
"publish_at": "2026-04-22T13:00:00Z",
"byline": "Author Name",
"tags": ["cms", "edge"]
}List pieces
GET /v1/sites/{site_id}/pieces?type=blog-post&limit=20
200 OK
{
"items": [...],
"next_cursor": "..."
}Create a draft (write)
POST /v1/sites/{site_id}/pieces
Authorization: Bearer ${TOKEN}
Content-Type: application/json
{
"type": "blog-post",
"title": "Draft title",
"body_md": "..."
}
201 Created
{ "id": "p_...", "status": "draft" }GraphQL shape
Same data model, idiomatic GraphQL surface. Endpoint: POST /v1/sites/{site_id}/graphql.
query Recent {
pieces(type: BLOG_POST, limit: 5) {
items { slug title lede publishAt }
nextCursor
}
}Webhook subscriptions
Subscribe to content events to drive your own workflows downstream:
content.draft.savedcontent.review.requestedcontent.review.approvedcontent.scheduledcontent.publishedcontent.unpublished
Configure in Settings → Webhooks. Each delivery includes an HMAC signature over the body using your subscription secret.
Rate limits
Read API: generous; designed for edge consumption from a real frontend. Write API: 60 requests per minute per token by default; raise on request.
SDKs
SDKs are {{TBD-sdks}}. The REST shape is stable and easy to consume directly in any language.