1. Home
  2. Documentation
  3. Public API

Public API

Pagoti's Public API serves read-only content to browsers or edge runtimes that originate from domains you've approved. Use it whenever you need to surface published pages without shipping authentication secrets to the client.

To learn more about how the Public and Private APIs differ, see the main documentation page.

Key characteristics

  • Origin-protected: responses are only returned when the request comes from an allowed domain configured in the dashboard
  • Authentication-free: allowed origins can issue GET requests without tokens or secrets
  • Read-only: limited to published content via GET requests under the /public namespace

Requirements

  1. Configure at least one allowed domain on your project
  2. Issue requests from one of those domains (CORS enforced)
  3. Request only published content

Base URL

https://pagoti.com/api/v1/public

Endpoints

List project pages

GET /api/v1/public/projects/{project}/pages

Returns published pages for a project (identified by hash ID or slug).

Response:

{
  "data": [
    {
      "hash_id": "abc123",
      "name": "Getting Started",
      "slug": "getting-started",
      "description": "Learn how to get started with our platform",
      "published": true,
      "published_at": "2025-01-15T10:00:00.000000Z",
      "updated_at": "2025-01-15T10:00:00.000000Z",
      "word_count": 450
    }
  ],
  "links": {
    "first": "https://pagoti.com/api/v1/public/projects/abc123/pages?page=1",
    "last": "https://pagoti.com/api/v1/public/projects/abc123/pages?page=1",
    "prev": null,
    "next": null
  },
  "meta": {
    "current_page": 1,
    "from": 1,
    "last_page": 1,
    "per_page": 15,
    "to": 5,
    "total": 5
  }
}

Get single page

GET /api/v1/public/projects/{project}/pages/{page}

Returns one published page, including its rendered content.

Response:

{
  "data": {
    "hash_id": "abc123",
    "name": "Getting Started",
    "slug": "getting-started",
    "description": "Learn how to get started with our platform",
    "published": true,
    "published_at": "2025-01-15T10:00:00.000000Z",
    "updated_at": "2025-01-15T10:00:00.000000Z",
    "word_count": 450,
    "live": "# Getting Started\n\nYour markdown content here..."
  }
}

CORS headers

Public responses to allowed origins include:

Access-Control-Allow-Origin: https://yourdomain.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With

Access-Control-Allow-Origin mirrors the requesting origin when it matches the project's allow-list.

Error responses

403 Forbidden — No domains are configured for the project.

{
  "message": "This action is unauthorized."
}

404 Not Found — The project or page could not be located.

{
  "message": "Not found"
}

Example usage

JavaScript

fetch('https://pagoti.com/api/v1/public/projects/abc123/pages')
  .then((response) => response.json())
  .then((data) => {
    console.log(data.data); // Array of pages
  });

Next.js

export async function getStaticProps() {
  const res = await fetch(
    'https://pagoti.com/api/v1/public/projects/abc123/pages'
  );
  const data = await res.json();

  return {
    props: {
      pages: data.data
    },
    revalidate: 60
  };
}