Laizy CMS
API Reference

Authentication

Token types, scopes, generation, and how to authenticate API requests to Laizy CMS.

Authentication

Laizy CMS uses JWT tokens for API authentication. Tokens are prefixed with laizy_ and sent via the Authorization header.

Token types

Admin tokens

Full access to schema management, content CRUD, and project settings. Used by the CLI and server-side integrations.

Scope: admin

Generate from: Dashboard → Developer → Generate API Token

# Use with the CLI
pnpm laizy init
# Enter your admin token when prompted
// Use in server-side code
const client = new ManagementClient({
  baseUrl: 'https://laizycms.com',
  apiToken: process.env.LAIZY_API_TOKEN!, // laizy_eyJ...
});

Frontend tokens

Read-only access scoped to published content only. Safe to use in client-side code since they can't modify data.

Scope: content:read

Generate from: Dashboard → Developer → Generate Frontend Token

// Safe for client-side use
const client = new ManagementClient({
  baseUrl: 'https://laizycms.com',
  apiToken: 'laizy_eyJ...', // Frontend token
});

// Can only read published content
const posts = await client.blogPost.findMany();

Request format

All API requests require two headers:

Authorization: Bearer laizy_eyJhbGciOiJIUzI1NiIs...
x-laizy-project: <project-id>

The Authorization header carries the JWT token. The x-laizy-project header identifies which project to operate on.

When using the CLI, the project header is automatically set from .laizy/project.json. When using the generated client, it's set by the ManagementClient.

Token anatomy

Tokens follow this structure:

laizy_<base64-encoded-jwt>

The JWT payload includes:

FieldDescription
subUser or organization ID
orgOrganization ID
scopeadmin or content:read
iatIssued at timestamp
expExpiration timestamp

Token security

  • Never expose admin tokens in client-side code or public repositories
  • Frontend tokens are safe for client-side use — they only read published content
  • Tokens are scoped to an organization — they can't access other organizations' data
  • Rotate tokens regularly from the Developer page in the dashboard

Generated client authentication

The generated TypeScript client handles authentication automatically through the ManagementClient:

import { LaizyClient } from './generated/laizy';
import { ManagementClient } from 'laizy-cms/management';

const managementClient = new ManagementClient({
  baseUrl: process.env.LAIZY_BASE_URL!,
  apiToken: process.env.LAIZY_API_TOKEN!,
});

const client = new LaizyClient(managementClient);

// All requests are authenticated automatically
const posts = await client.blogPost.findMany();

CLI authentication

The CLI stores your token in ~/.laizyrc:

{
  "baseUrl": "https://laizycms.com",
  "apiToken": "laizy_eyJhbGciOiJI..."
}

This file is created during laizy init. To update your token, edit the file directly or re-run laizy init.

API Overview

Overview of the Laizy CMS API — base URL, authentication, request format, and available endpoints.

Content Data

API reference for content CRUD operations — list, get, create, update, delete, and count endpoints.

On this page

AuthenticationToken typesAdmin tokensFrontend tokensRequest formatToken anatomyToken securityGenerated client authenticationCLI authentication