estøkad

REST

The REST surface is generated from your content schema. Endpoints, query parameters, and response shapes are described in OpenAPI 3.1 at /v1/<workspace>/openapi.json.

Base URL

https://api.estokad.com/v1/<workspace>

The workspace slug is set on signup. Find it in the Studio's URL bar or under /settings. Custom subdomains for Sovereign-tier customers are documented in the runbook.

Reading entries

List published entries of a type:

curl -H "Authorization: Bearer $KEY" \
  "https://api.estokad.com/v1/your-workspace/content/article"

Response:

{
  "entries": [
    {
      "id": "01HX2…",
      "type": "article",
      "data": { "title": "…", "slug": "…", "body": [ … ] },
      "publishedAt": "2026-04-12T10:00:00Z"
    }
  ],
  "next": null
}

Single entry:

curl -H "Authorization: Bearer $KEY" \
  "https://api.estokad.com/v1/your-workspace/content/article/<id>"

The response payload includes a _rbac.stripped array when field-level RBAC denies the caller's role read on one or more fields. The fields are absent from data; the names appear in stripped so the client can render an appropriate fallback.

Filtering

Standard query parameters:

| Param | Effect | |---|---| | limit | page size, max 100 | | cursor | opaque pagination token from the previous response's next | | where[field]=value | exact match on a top-level field | | where[field][gte]=value | range comparison | | order=field / -field | sort, prefix - for descending | | locale | locale code (multi-locale module) |

Multiple where parameters are AND-ed. For OR or nested conditions, use GraphQL.

Writing entries

Requires a write or management key. Create:

curl -X POST \
  -H "Authorization: Bearer $KEY" \
  -H "Content-Type: application/json" \
  -d '{ "data": { "title": "Hello", "slug": "hello", "body": [] } }' \
  "https://api.estokad.com/v1/your-workspace/content/article"

Patch:

curl -X PATCH \
  -H "Authorization: Bearer $KEY" \
  -H "Content-Type: application/json" \
  -d '{ "data": { "title": "Hello, world" } }' \
  "https://api.estokad.com/v1/your-workspace/content/article/<id>"

Field-level RBAC denials return 403 forbidden with a JSON body listing the denied fields:

{ "error": "forbidden", "denied": ["seoTitle"] }

Publish state

Drafts:

curl -X POST \
  -H "Authorization: Bearer $KEY" \
  "https://api.estokad.com/v1/your-workspace/content/article/<id>/publish"

Unpublish:

curl -X POST \
  -H "Authorization: Bearer $KEY" \
  "https://api.estokad.com/v1/your-workspace/content/article/<id>/unpublish"

In multi-locale workspaces, append ?locale=fr-BE to publish a single locale.

Webhooks

Configure webhook subscribers from /settings. Estokad signs every payload with HMAC-SHA256; the signature ships in the X-Estokad-Signature header. The subscriber endpoint should validate it before acting on the payload.