Skip to content
Jetrepo
Esc
navigateopen⌘Jpreview
On this page

Endpoints and auth

Choose a delivery endpoint and the correct delivery, preview, or agent credential.

Delivery endpoints are read-only and use either a Backend-scoped delivery key or a Preview Bearer. Management MCP uses a separate agent or delegated credential.

Endpoint map

Method and path Credential Purpose
POST /graphql Delivery key or Preview Bearer Generated GraphQL delivery
GET /rest/{typeKey} Delivery key or Preview Bearer List Content or Assets
GET /rest/{typeKey}/{id} Delivery key or Preview Bearer Read one record
GET /rest/taxonomy/{vocabularyKey} Delivery key or Preview Bearer List Terms
GET /rest/taxonomy/{vocabularyKey}/{id} Delivery key or Preview Bearer Read one Term
GET /openapi.json Delivery key or Preview Bearer Generated OpenAPI 3.1
GET /docs Delivery key or Preview Bearer REST API browser
POST /preview/sessions/exchange One-time bootstrap code Create a Preview Bearer
POST /agent/mcp Agent key, Agent Auth, or OAuth Management MCP

Delivery keys

A key has either delivery.readPublished or delivery.readPreview. Each permission accepts Backend scope only; Data Type, locale, and Vocabulary selectors do not apply to delivery keys.

Send the key as x-api-key. x-backend-id wins when present. Without that header, Jetrepo can infer a Backend only when the key’s Backend selector is SELECTED with exactly one ID.

curl https://delivery.example.com/rest/article \
  -H 'x-api-key: YOUR_DELIVERY_KEY' \
  -H 'x-backend-id: BACKEND_ID'

Use x-backend-id only when the key does not select exactly one Backend.

Preview Bearers

Exchange a single-use code without an authentication header:

curl https://delivery.example.com/preview/sessions/exchange \
  -H 'content-type: application/json' \
  --data '{"bootstrapCode":"jp_boot_REPLACE_ME"}'

Then send the returned token to GraphQL or REST:

curl https://delivery.example.com/rest/article \
  -H 'authorization: Bearer jp_prev_REPLACE_ME'

A Preview session captures and rechecks the human actor’s live content, Release, locale, and Vocabulary authorization. Never send x-api-key and a Preview Bearer together.

Error boundaries

  • Missing or invalid delivery key: 401.
  • No resolvable Backend or Backend outside the key scope: 403.
  • Delivery key plus Preview Bearer: 400 with AMBIGUOUS_CREDENTIALS in GraphQL.
  • The Delivery API does not install browser CORS middleware; call it from server-side code.
  • Agent keys are accepted only by Management MCP.

Was this page helpful?