API Overview & Authentication
Base URL
https://<your-worker>.workers.devAll API routes are prefixed with /api/.
Request context headers
Every management API request must include headers that define the organizational context:
| Header | Default | Description |
|---|---|---|
X-Alokai CMS-Organization | "default" | Organization ID |
X-Alokai CMS-Space | "default" | Space ID |
X-Alokai CMS-Environment | "main" | Environment ID |
If a header is omitted, Alokai CMS falls back to the defaults listed above.
Authentication
Session (UI)
The browser UI authenticates via a POST to /api/auth/login and receives an httpOnly session cookie (alokon-session). All subsequent requests from the browser include this cookie automatically.
API key (programmatic)
Pass your API key in either header:
Authorization: Bearer <api-key>X-API-Key: <api-key>API keys are space-scoped. You do not need to pass X-Alokai CMS-Space separately — the key implies the space.
Full example
curl https://your-worker.workers.dev/api/pages \ -H "Authorization: Bearer default_sk_abc123..." \ -H "X-Alokai CMS-Organization: default" \ -H "X-Alokai CMS-Environment: main"Response format
All API responses return JSON. Errors follow this shape:
{ "error": "Not found", "status": 404}Impersonation (super_admin only)
Super admins can impersonate any user by adding:
X-Alokai CMS-Impersonate: <user-id>The request is processed as if that user made it.
Rate limiting
There is no built-in rate limiter. For production deployments, use Cloudflare Rate Limiting at the CDN layer.