Penpot API Documentation (v{{version}})

INTRODUCTION

This documentation is intended to be a general overview of the penpot RPC API. If you prefer, you can use OpenAPI and/or SwaggerUI as alternative.

GENERAL NOTES

Authentication

The penpot backend right now offers two way for authenticate the request: cookies (the same mechanism that we use ourselves on accessing the API from the web application) and access tokens.

The cookie can be obtained using the `login-with-password` rpc method, on successful login it sets the `auth-token` cookie with the session token.

The access token can be obtained on the appropriate section on profile settings and it should be provided using `Authorization` header with `Token <token-string>` value.

Content Negotiation

The penpot API by default operates indistinctly with: `application/json` and `application/transit+json` content types. You should specify the desired content-type on the `Accept` header, the transit encoding is used by default.

Limits

The rate limit work per user basis (this means that different api keys share the same rate limit). For now the limits are not documented because we are studying and analyzing the data. As a general rule, it should not be abused, if an abusive use is detected, we will proceed to block the user's access to the API.

Webhooks

All methods that emit webhook events are marked with flag WEBHOOK, the data structure defined on each method represents the payload of the event.

The webhook event structure has this aspect:

{
  "id": "db601c95-045f-808b-8002-362f08fcb621",
  "name": "rename-file",
  "props": <payload>,
  "profileId": "db601c95-045f-808b-8002-361312e63531"
}