REST API

All API routes are prefixed with /v1. Most routes require either an API key (x-inlinecms-key header) or a Bearer token (Authorization header), or both.

Authentication

POST /v1/auth/login

Authenticate a CMS user.

POST /v1/auth/login
Content-Type: application/json

{ "email": "editor@example.com", "password": "..." }

Returns: { data: { user, token, expiresAt }, error: null }

POST /v1/auth/logout

Invalidate the current session.

POST /v1/auth/logout
Authorization: Bearer <token>

GET /v1/auth/me

Get the current authenticated user.

GET /v1/auth/me
Authorization: Bearer <token>

POST /v1/auth/refresh

Rotate the session token.

Content

GET /v1/content/:pageId

Fetch content for a page. Visitors see published entries only. Editors (with auth header) see drafts.

GET /v1/content/%2F
x-inlinecms-key: <api-key>

PATCH /v1/content/:entryId

Update a content entry’s fields and/or status. Requires editor role.

PATCH /v1/content/<entry-id>
Authorization: Bearer <token>
x-inlinecms-key: <api-key>

{ "fields": { "content": "New text" }, "status": "published" }

POST /v1/content/bulk-publish

Publish all draft entries for a page.

POST /v1/content/bulk-publish
Authorization: Bearer <token>
x-inlinecms-key: <api-key>

{ "pageId": "/" }

GET /v1/content/:entryId/history

Get the publish audit trail for a content entry.

Snapshot

GET /v1/snapshot

The project’s published override snapshot — what a build “bakes” in. Returns content grouped by page path, object overrides, a deterministic version hash, and the server bakeEnabled kill-switch. Published-only and read-only. See the Build-Time Hydration guide.

GET /v1/snapshot
x-inlinecms-key: <api-key>

Returns:

{
  "data": {
    "schema": 1,
    "version": "sha256:324ebbfc…",
    "generatedAt": "2026-06-05T21:46:37.497Z",
    "content": { "/": [ { "instanceKey": "hero-title", "fields": { "content": "…" }, … } ] },
    "objectFields": [],
    "objectCollections": [],
    "objectTypes": [],
    "bakeEnabled": true
  },
  "error": null
}

Definitions

POST /v1/definitions/sync

Called by the SDK on mount. Registers component schemas and creates stub content entries.

POST /v1/definitions/sync
x-inlinecms-key: <api-key>

{
  "pageId": "/",
  "components": [
    { "componentId": "__inline_abc123", "instanceKey": "abc123", "fields": [{ "key": "content", "type": "text" }] }
  ]
}

GET /v1/definitions/:pageId

Get component schemas for a page (used by the dashboard).

Projects

POST /v1/projects

Create a new project with its first admin user. No auth required (onboarding).

POST /v1/projects
Content-Type: application/json

{
  "name": "My Site",
  "admin": { "email": "admin@example.com", "password": "secure-password" }
}

Returns: { data: { project: { id, apiKey, ... }, admin: { id, email, role } } }

GET /v1/projects/:id

Get project details. Requires auth.

PATCH /v1/projects/:id

Update project settings (name, domains, CDN URL, deploy hooks). Requires admin role.

PATCH /v1/projects/<id>
Authorization: Bearer <token>

{
  "deployHooks": [
    { "id": "prod", "type": "generic", "url": "https://api.netlify.com/build_hooks/abc" },
    { "id": "gh", "type": "github", "url": "https://api.github.com/repos/me/site/dispatches", "secret": "ghp_…" }
  ]
}

deployHooks fire a rebuild on every publish (debounced) — see Build-Time Hydration → deploy triggers. A hook’s secret is write-only: responses include hasSecret but never the value.

POST /v1/projects/:id/rotate-key

Generate a new API key. Invalidates the old one. Requires admin role.

Users

GET /v1/users

List all CMS users in the project.

POST /v1/users

Create a new CMS user. Requires admin role.

PATCH /v1/users/:id

Update a user’s name or role. Requires admin role.

DELETE /v1/users/:id

Remove a CMS user. Requires admin role.

Media

POST /v1/media/upload

Upload an image. Multipart form data with a file field.

GET /v1/media

List all uploaded media for the project.

DELETE /v1/media/:id

Delete an uploaded file.

Health

GET /health

Returns { status: "ok", version: "0.1.0" }.