Headless access to content, lists, and entry references.
API keys
- Go to System → API keys.
- Create a key with appropriate scopes (
read,read_drafts, write scopes as needed). - Send the key in the header documented in your deployment (typically an Authorization or X-API-Key header).
REST overview
JSON endpoints expose entries, pages, content lists, and related data for mobile or JavaScript frontends.
Content entries
GET /api/v1/content-types/{typeSlug}/entries
GET /api/v1/content-types/{typeSlug}/entries/{entrySlug}Entry detail includes custom fields. entry_refs fields expand to referenced_entries with title, slug, public_url, is_public.
Content lists
GET /api/v1/content-lists/{slug}?page=1Requires read scope. Draft statuses in list config need read_drafts unless list is published-only.
GraphQL
Query structured content with the bundled GraphQL server when enabled. Use filter api.entry.response to enrich payloads from plugins.
Filtering API responses
$context->addFilter(FilterHook::API_ENTRY_RESPONSE, function (array $payload, array $ctx): array {
$payload['custom_flag'] = true;
return $payload;
}, 10);Mobile bootstrap
Mobile companion apps may use the mobile bootstrap API endpoint (see docs/mobile.md). Filter hook: FilterHook::MOBILE_BOOTSTRAP.
Security checklist
- Never expose write keys in browser JavaScript
- Rotate keys after team member departure
- Use read-only scopes for public static site generators
- Rate-limit at reverse proxy when exposing publicly
Troubleshooting
- 401/403 — Missing key or insufficient scope.
- Empty referenced_entries — Targets draft or deleted; check entry_refs field value.