API overview

The content API is a read-only (GET) interface: it can not update information stored in Matrix.

Base URL

The base URL for all content API endpoints you create is /__api/.

For example, if your site URL was example.com the base URL translates to https://example.com/__api/.


The content API uses Authorization Bearer Tokens for authentication. Session-based authentication is not supported.

A token must be sent in a request to the API using an Authorization: Bearer statement.

Authorization: Bearer abcd1234

The “Bearer” statement keyword is case sensitive. For more information about this statement type, refer to the IETF RFC6750.

A randomly-generated unique token value is assigned when you create a token asset using the Content API Manager. Read Manage content API tokens to learn more about creating and managing authentication tokens.

The token value cannot be changed once it is created.

Error responses

An HTTP 401 Unauthorised response containing a WWW-Authenticate header is returned under the following conditions:

  • The header is malformed.

  • The token is invalid because of the following reasons:

    • The asset is disabled or moved into the Trash.

    • A user has not been configured against the token.

  • An HTTP 403 Forbidden response is returned under the following conditions:

    • The user that is configured against the token does not have valid permissions to the requested asset.

    • The request is trying to access an asset that is not under an assigned root asset.

  • An HTTP 404 Not Found response is returned under the following conditions:

    • The requested endpoint does not exist.

    • The requested asset does not exist.

  • A 405 Method Not Allowed response is returned when anything other than a GET method verb is used in a request payload.

API reference documentation

Endpoint documentation is available from the following locations:

You can download the full API specification in OpenAPI v3 format by clicking Download within the reference documentation.