OptimoCMSDocs

Authentication

Everything about API keys, scopes, sandbox keys, rate limits and security best practices.

Authentication

All API requests require authentication via an API key in the X-Api-Key header.

Create an API key

  1. Go to Settings → API Keys in your OptimoCMS dashboard
  2. Click Create API Key
  3. Give the key a descriptive name (e.g. "Production Backend", "CI/CD Pipeline")
  4. Select the desired scopes
  5. Copy the key — it is only shown once

Using your API key

REST API

curl https://api.optimocms.com/v1/sites \
  -H "X-Api-Key: optimo_live_abc123def456"

TypeScript SDK

import { OptimoCMS } from '@optimocms/sdk';

const cms = new OptimoCMS({
  apiKey: process.env.OPTIMOCMS_API_KEY!,
});

MCP configuration

{
  "mcpServers": {
    "optimocms": {
      "command": "npx",
      "args": ["-y", "@optimocms/mcp-server"],
      "env": {
        "OPTIMOCMS_API_KEY": "optimo_live_abc123def456"
      }
    }
  }
}

Scopes

Scopes control what an API key is allowed to do. Always use the minimum set of scopes you need.

ScopeDescription
sites:readList and retrieve sites
sites:writeCreate and update sites
pages:readList and retrieve pages
pages:writeCreate, update and delete pages
media:readList and retrieve media files
media:writeUpload and delete media
analytics:readRetrieve analytics data
ai:writeAI generation, translation and content assist
publish:writePublish sites
ecommerce:readRead products, orders and coupons
ecommerce:writeManage products and coupons
booking:readRetrieve bookings and availability
booking:writeCreate and manage bookings
loyalty:readRetrieve loyalty points
loyalty:writeEarn and redeem points
webhooks:readRetrieve webhook configuration
webhooks:writeCreate and manage webhooks
forms:readRetrieve form submissions
push:writeSend push notification campaigns

Example: a key for read-only content access:

Scopes: sites:read, pages:read, media:read

Example: a key for a CI/CD pipeline that deploys:

Scopes: sites:read, pages:write, media:write, publish:write

Sandbox vs. Live keys

SandboxLive
Prefixoptimo_sandbox_optimo_live_
DataTest data, no real deploymentsProduction data
Rate limitsSame as your tierSame as your tier
CostFree (AI calls don't count)Normal
PublishingNo effect (dry-run)Site is actually published

Use sandbox keys for development and testing. Switch to live keys for production.

const cms = new OptimoCMS({
  apiKey: process.env.NODE_ENV === 'production'
    ? process.env.OPTIMOCMS_LIVE_KEY!
    : process.env.OPTIMOCMS_SANDBOX_KEY!,
});

Rate limits

Rate limits depend on your tier:

TierRequests/minBurst (per second)Daily maximum
Free60105,000
Pro60050100,000
Enterprise6,000200Unlimited

Rate limit headers

Every API response includes rate limit information:

HTTP/1.1 200 OK
X-RateLimit-Limit: 600
X-RateLimit-Remaining: 594
X-RateLimit-Reset: 1748260860
HeaderDescription
X-RateLimit-LimitMaximum requests in the current window
X-RateLimit-RemainingRemaining requests
X-RateLimit-ResetUnix timestamp when the window resets

429 Too Many Requests

When you exceed the limit, you receive a 429 response:

{
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "Rate limit exceeded. Try again in 45 seconds.",
    "details": { "retryAfter": 45 }
  },
  "meta": { "requestId": "req_abc123", "timestamp": "2026-05-26T12:00:00Z" }
}

SDK: The SDK has built-in retry with exponential backoff. See SDK error handling.

curl:

# Retry-After header contains the wait time in seconds
curl -i https://api.optimocms.com/v1/sites \
  -H "X-Api-Key: your_api_key"
# → Retry-After: 45

MCP: The MCP server handles rate limits automatically with retry.

Security best practices

1. Use environment variables

# .env (NEVER commit to git)
OPTIMOCMS_API_KEY=optimo_live_abc123def456
// ✅ Good
const cms = new OptimoCMS({ apiKey: process.env.OPTIMOCMS_API_KEY! });

// ❌ Bad — hardcoded key
const cms = new OptimoCMS({ apiKey: 'optimo_live_abc123def456' });

2. Minimal scopes

Give each key only the scopes it needs. A frontend integration doesn't need publish:write.

3. Separate keys per environment

Create separate keys for development, staging and production. This way you can revoke individual keys without breaking everything.

4. Rotate keys periodically

Rotate your API keys every quarter. Old keys can be revoked in the dashboard.

5. Monitor usage

Monitor API usage via Settings → API Keys → Usage. Set up alerts for unexpected spikes.

6. Never client-side

Never use API keys in client-side code (browser, mobile app). Create a backend proxy that makes the calls.

Error codes

StatusCodeDescription
401UNAUTHORIZEDMissing or invalid API key
403FORBIDDENKey does not have the required scope
429RATE_LIMIT_EXCEEDEDToo many requests
{
  "error": {
    "code": "FORBIDDEN",
    "message": "API key does not have scope: pages:write"
  },
  "meta": { "requestId": "req_err123", "timestamp": "2026-05-26T12:00:00Z" }
}

Next steps

Quickstart

From zero to your first working API call in 5 minutes.

API Reference

Complete REST API reference voor OptimoCMS. Alle endpoints met request/response voorbeelden, authenticatie, paginering en foutcodes.

On this page

AuthenticationCreate an API keyUsing your API keyREST APITypeScript SDKMCP configurationScopesSandbox vs. Live keysRate limitsRate limit headers429 Too Many RequestsSecurity best practices1. Use environment variables2. Minimal scopes3. Separate keys per environment4. Rotate keys periodically5. Monitor usage6. Never client-sideError codesNext steps