# Estokad > Sovereign-by-design headless CMS for European publishers, regulators, and enterprises. EU residency, DORA evidence pack, schema-as-code, visual editing, audit chain. These docs cover every customer-facing surface — the schema authoring API, the runtime SDK, the Studio editor, the compliance pack, the CLI. The full content of every page is available at /llms-full.txt. ## Documentation - [Documentation](https://docs.estokad.com/docs.md): Estokad is a sovereign-by-design headless CMS for European publishers, regulators, and enterprises. The docs cover every customer-facing surface — the schema authoring API, the runtime SDK, the Studio editor, the compliance pack, the CLI. - [API](https://docs.estokad.com/docs/api.md): Two surfaces, one source of truth. GraphQL is the primary interface; REST is generated from the same schema for clients that prefer it. Both honour the same auth, residency, and field-level RBAC rules. - [Auth & RBAC](https://docs.estokad.com/docs/auth.md): Two layers, deliberately separated: - [CLI](https://docs.estokad.com/docs/cli.md): `@estokad/cli` is the customer-side command-line tool. It loads `schemas/*.ts` from your repo, compiles to JSON IR via `@estokad/schema`, and pushes to the management API. - [Compliance](https://docs.estokad.com/docs/compliance.md): Estokad is built so a customer can hand a regulator a download of their compliance posture and walk away. The five surfaces: - [Getting started](https://docs.estokad.com/docs/getting-started.md): From sign-up to first published entry in roughly ten minutes. The path covers four steps: sign up, install the CLI, push a schema, fetch through the SDK. - [Schema](https://docs.estokad.com/docs/schema.md): Estokad's schema is code. Types live in TypeScript files in your repo, get compiled to a JSON intermediate representation (IR) by `@estokad/schema`, and ship to the API via `estokad push`. The Studio renders the same IR — visual schema editing in M1.5b will read and write the same files. - [Visual edit](https://docs.estokad.com/docs/visual-edit.md): Click a field in the rendered preview, edit it inline, see the structured field on the left of the Studio update. The overlay protocol works with any framework that can render a server-side preview against the Estokad API. - [GraphQL](https://docs.estokad.com/docs/api/graphql.md): GraphQL is the primary API surface. The schema is generated from your content types via Pothos; introspection drives `@estokad/sdk` for end-to-end type safety. - [REST](https://docs.estokad.com/docs/api/rest.md): The REST surface is generated from your content schema. Endpoints, query parameters, and response shapes are described in OpenAPI 3.1 at `/v1//openapi.json`. - [REST response shapes](https://docs.estokad.com/docs/api/rest-shapes.md): The exact JSON shapes a frontend consumer codes against: the content-entry envelope, the field-data object per content type, the asset object, the rich-text node tree, and the webhook payload. These are the authoritative shapes — the live OpenAPI 3.1 document at `/v1//openapi.json` is generated from your schema and always matches the running API. - [API keys](https://docs.estokad.com/docs/auth/api-keys.md): Per-workspace bearer tokens that authenticate REST and GraphQL requests. Issued from `/settings/api-keys` in the Studio; plaintext is shown once at creation and the server only stores a SHA-256 hash. - [Custom roles](https://docs.estokad.com/docs/auth/rbac.md): Field-level RBAC. Each custom role names a set of `(content_type, field)` read and write grants; assigning a role to a member restricts what they can see and edit in the Studio and over the API. - [DORA evidence pack](https://docs.estokad.com/docs/compliance/dora.md): The Digital Operational Resilience Act (DORA) requires regulated financial entities to maintain ongoing evidence of ICT risk management, third-party risk, incident handling, and business continuity. Estokad assembles this evidence on demand as a downloadable archive. - [Residency](https://docs.estokad.com/docs/compliance/residency.md): Estokad runs per-country, not "EU region." Customers pick where their data lives at signup; provisioning happens only after the residency module is paid for. The chosen region binds every byte of data — Postgres rows, asset blobs, cache state, audit logs. - [`defineType()`](https://docs.estokad.com/docs/schema/define-type.md): The authoring API for content types. Every type lives in a `schemas/*.ts` file, exports a single `defineType()` call, and is re-exported from `schemas/index.ts`. ## Optional - [Marketing site](https://estokad.com): pricing, comparisons, customer stories. - [Studio](https://app.estokad.com): the admin UI for content authors. - [Status](https://estokad.com/status): residency-pinned uptime + incident history.