GraphQL API

By default, the API is available at:

The exact public URL can differ per environment based on virtual host configuration, which is commonly used to expose the API on a friendlier path — for example https://api.example.com/graphql.

Guillotine uses XP’s IAM system for per-user authorization. Requests are evaluated in the context of the authenticated principal, and content permissions apply to every query — users only see content they are allowed to read.

Authenticate requests by passing a bearer token in the Authorization header:

Unauthenticated requests run as the anonymous user and can still access content granted READ permission for role:system.everyone.

Guillotine generates a GraphQL schema dynamically from the content types, mixins, and x-data registered in the current project. Each form field maps to a typed GraphQL field (for example, TextLine → String, ImageSelector → MediaImage, ItemSet → a nested object type), so a front-end developer gets an accurate schema to query against without any manual mapping.

The schema also includes queries for pages and components, content hierarchies, full-text search, and references between items.

For the full schema reference, query syntax, extensions, and configuration options, see the Guillotine documentation.

Requests are standard GraphQL POST requests with a JSON body containing query and optional variables:

For hands-on examples querying content, pages, images, and more, see the Developer 101 guide.