Private API

The Private API is Pagoti's token-authenticated API for servers, build pipelines, background jobs, and internal tooling. It now supports both read and write flows for project-scoped endpoints, so splitting the guide by topic keeps it easier to navigate.

For the high-level API comparison, start on the documentation overview.

Key characteristics

  • Token-protected: authenticate every request with a Bearer token
  • Server-friendly: built for backend and automation use cases
  • Unrestricted origins: requests can come from anywhere
  • Project-scoped: dashboard-created tokens are tied to a single project
  • Ability-aware: token abilities control whether project-scoped requests can read, write, or both

Base URL

https://pagoti.com/api/v1

Start here

Authentication and access

How to send Bearer tokens, how project scope works, and how access:read / access:write affect requests.

Read the authentication guide →

Projects

List, create, fetch, update, and delete projects.

Read the projects guide →

Pages

List, create, fetch, update, and delete pages inside a project.

Read the pages guide →

Media

List media for a project.

Read the media guide →

Available endpoint groups

Projects

  • GET /projects
  • POST /projects
  • GET /projects/{project}
  • PUT /projects/{project}
  • DELETE /projects/{project}

Pages

  • GET /projects/{project}/pages
  • POST /projects/{project}/pages
  • GET /projects/{project}/pages/{page}
  • PUT /projects/{project}/pages/{page}
  • DELETE /projects/{project}/pages/{page}

Media

  • GET /projects/{project}/media

Media remains read-only in the private API at the moment.

Security warning

Never embed Private API tokens in frontend bundles, mobile apps, or public repositories. Use the Public API for browser-delivered experiences.

Rate limits

Private API requests are rate limited per user and tier. When you exceed your allowance, the API returns 429 Too Many Requests.

Common status codes

  • 200 OK for successful reads and updates
  • 201 Created for successful creates
  • 204 No Content for successful deletes
  • 401 Unauthorized when authentication is missing
  • 403 Forbidden when scope or ability checks fail
  • 404 Not Found when a route-bound resource cannot be found
  • 422 Unprocessable Content when validation fails