Endpoints and auth
Choose a delivery endpoint and the correct delivery, preview, or agent credential.
Delivery endpoints are read-only and use either a Backend-scoped delivery key or a Preview Bearer. Management MCP uses a separate agent or delegated credential.
Endpoint map
| Method and path | Credential | Purpose |
|---|---|---|
POST /graphql |
Delivery key or Preview Bearer | Generated GraphQL delivery |
GET /rest/{typeKey} |
Delivery key or Preview Bearer | List Content or Assets |
GET /rest/{typeKey}/{id} |
Delivery key or Preview Bearer | Read one record |
GET /rest/taxonomy/{vocabularyKey} |
Delivery key or Preview Bearer | List Terms |
GET /rest/taxonomy/{vocabularyKey}/{id} |
Delivery key or Preview Bearer | Read one Term |
GET /openapi.json |
Delivery key or Preview Bearer | Generated OpenAPI 3.1 |
GET /docs |
Delivery key or Preview Bearer | REST API browser |
POST /preview/sessions/exchange |
One-time bootstrap code | Create a Preview Bearer |
POST /agent/mcp |
Agent key, Agent Auth, or OAuth | Management MCP |
Delivery keys
A key has either delivery.readPublished or delivery.readPreview. Each permission accepts Backend scope only; Data Type, locale, and Vocabulary selectors do not apply to delivery keys.
Send the key as x-api-key. x-backend-id wins when present. Without that header, Jetrepo can infer a Backend only when the key’s Backend selector is SELECTED with exactly one ID.
curl https://delivery.example.com/rest/article \
-H 'x-api-key: YOUR_DELIVERY_KEY' \
-H 'x-backend-id: BACKEND_ID'
Use x-backend-id only when the key does not select exactly one Backend.
Preview Bearers
Exchange a single-use code without an authentication header:
curl https://delivery.example.com/preview/sessions/exchange \
-H 'content-type: application/json' \
--data '{"bootstrapCode":"jp_boot_REPLACE_ME"}'
Then send the returned token to GraphQL or REST:
curl https://delivery.example.com/rest/article \
-H 'authorization: Bearer jp_prev_REPLACE_ME'
A Preview session captures and rechecks the human actor’s live content, Release, locale, and Vocabulary authorization. Never send x-api-key and a Preview Bearer together.
Error boundaries
- Missing or invalid delivery key:
401. - No resolvable Backend or Backend outside the key scope:
403. - Delivery key plus Preview Bearer:
400withAMBIGUOUS_CREDENTIALSin GraphQL. - The Delivery API does not install browser CORS middleware; call it from server-side code.
- Agent keys are accepted only by Management MCP.