Skip to main content

plone.restapi is a RESTful hypermedia API for Plone.

Project description Code Health


plone.restapi is a RESTful hypermedia API for Plone.

RESTful Hypermedia API

REST stands for Representational State Transfer. It is a software architectural principle to create loosely coupled web APIs.

Most web APIs have a tight coupling between client and server. This makes them brittle and hard to change over time. It requires them not only to fully document every small detail of the API, but also to write a client implementation that follows that specification 100% correctly and breaks as soon as you change any detail.

A hypermedia API just provides an entry point to the API that contains hyperlinks the clients can follow, just as a human user of a regular website knows the initial URL of the site and then follows hyperlinks to navigate through the site. This has the advantage that the client needs to understand only how to detect and follow links. The URL and other details of the API can change without breaking the client.



Live Demo

A live demo of Plone 5 with the latest plone.restapi release is available at:

Example GET request on the portal root:

$ curl -i -H "Accept: application/json"

Example POST request to create a new document:

$ curl -i -X POST -H "Accept: application/json" -H "Content-Type: application/json" --data-raw '{"@type": "Document", "title": "My Document"}' --user admin:admin

Design Decisions

  • A truly RESTful API (Hypermedia / HATEOAS / Linked-data)

  • JSON is the main target format; support for other formats (HTML, XML) will come later

  • Use HTTP headers (to set format and versioning, also provide URL-based option to make it easier for people to try it out)

  • No versioning; versioning in the HTTP header can be added later

  • Field names just map over (we will not try to clean up attributes or enforce naming standards like pep8 (e.g. isPrincipiaFoldish -> is_folderish)

Software Quality

  • 100% test coverage

  • 100% PEP8 compliant

  • Documentation-first approach for enhancements

Further Reading



The project is licensed under the GPLv2.


Note: place names and roles of the people who contribute to this package

in this file, one to a line, like so:

  • Timo Stollenwerk, Original Author

  • Thomas Buchberger

  • Lukas Graf

  • Víctor Fernández de Alba

  • Paul Roeland

  • Mikel Larreategi

  • Eric Brehault

  • Andreas Zeidler

  • Carsten Senger

  • Tom Gross

  • Roel Bruggink


1.0a20 (2017-07-24)


  • Support content reordering on the site root. [jaroel]

  • Support setting Layout on the site root. [jaroel]

  • Add clarification when using SearchableText parameter in plone.restapi to avoid confusions [sneridagh]

1.0a19 (2017-06-25)

New Features:

  • Implement upload endpoint. [buchi]

1.0a18 (2017-06-14)

New Features:

  • Add “&fullobject” parameter in @search to retrieve full objects [ebrehault]


1.0a17 (2017-05-31)

Breaking Changes:

  • Change RichText field value to use ‘output’ instead of ‘raw’ to fix inline paths. This fixes #302. [erral]

New Features:

  • Automatically publish docker images on [timo]


  • Docs: Fix batching example request/response. [lgraf]

1.0a16 (2017-05-23)

New Features:

  • Add @comments endpoint. [jaroel,timo,pjoshi]

  • Add @roles endpoint to list defined global roles. [jaroel]

  • Add JSON schema to @registry listing. [jaroel]

  • Allow to manipulate the group membership in the @groups endpoint. [jaroel]

  • List and mutate global roles assigned to a user in the @users endpoint. [jaroel]


  • Bind schema field to context to handle context vocabularies. #389 [csenger]

  • The inherit flag was the wrong way around. Blocked inherit showed up as non-blocked. [jaroel]

1.0a15 (2017-05-15)

New Features:

  • Reorder children in a item using the content endpoint. [jaroel]

  • Add batched listing of registry entries to @registry endpoint. [jaroel]

1.0a14 (2017-05-02)

New Features:

  • Add @history endpoint. [jaroel]


  • Fix the @move endpoint fails to return 403 when the user don’t have proper delete permissions over the parent folder. [sneridagh]

1.0a13 (2017-04-18)

New Features:

  • Add support for a ‘search’ parameter to @sharing. This returns additional principals in ‘entries’, also flagging the acquired and inherited fields. [jaroel]

  • Add support for setting/modifying ‘layout’ on DX and AT content endpoints. [jaroel]

  • Add support for getting the defined layouts on the root types endpoint. [jaroel]


  • Add the title to the workflow history in the @workflow endpoint. This fixes #279. [sneridagh]

  • Don’t fetch unnecessary PasswordResetTool in Plone 5.1 [tomgross]

1.0a12 (2017-04-03)


  • Handle special case when user @move content that cannot delete returning proper 403 [sneridagh]

1.0a11 (2017-03-24)


  • Remove zope.intid dependency from copy/move endpoint. Remove plone.api dependency from principals endpoint. Make ChoiceslessRelationListSchemaProvider available only if z3c.relationfield is installed. This fixes [erral]

  • Remove unittest2 imports from tests. [timo]

  • Add Products.PasswortResetTool to dependencies. This dependency is gone in Plone 5.1. [timo]

  • Make import of LocalrolesModifiedEvent conditional, so plone.restapi doesn’t prevent Plone 4.3 deployments < 4.3.4 from booting. [lgraf]

1.0a10 (2017-03-22)

New Features:

  • Add @sharing endpoint. [timo,csenger,sneridagh]

  • Add @vocabularies endpoint. [timo,csenger,sneridagh]

  • Add @copy and @move endpoints. [buchi,sneridagh]

  • Docs: Convert all HTTP examples to use sphinxcontrib-httpexample. [lgraf]

  • Add ‘addable’ attribute to the @types endpoint. It specifies if the content type can be added to the current context. See [jaroel]

  • Add support for named IJsonSchemaProvider adapter to target a single field in a schema. This allows us to prevent rendering all choices in relatedItems. See [jaroel]

  • Add review_state to the folderish summary serializer. [sneridagh]

  • Add @principals endpoint. It searches for principals and returns a list of users and groups that matches the query. This is aimed to be used in the sharing UI widget or other user/groups search widgets. [sneridagh]

  • Add reset-password action to the @users endpoint. [timo,csenger]


  • Fix coveralls reporting. [timo]

  • Return correct @id for folderish objects created via POST. [lgraf]

  • Fix timezone-related failures when running tests through coverage. [witsch]

  • @search endpoint: Also prefill path query dict with context path. This will allow users to supply an argument like path.depth=1, and still have path.query be prefilled server-side to the context’s path. [lgraf]

  • Overhaul JSON schema generation for @types endpoint. It now returns fields in correct order and in their appropriate fieldsets. [lgraf]

  • Add missing id to the Plone site serialization, related to issue #186. [sneridagh]

  • Add missing adapter for IBytes on JSONFieldSchema generator. This fixes the broken /@types/Image and /@types/File endpoints. [sneridagh]

  • Fix addable types for member users and roles assigned locally on @types endpoint. [sneridagh]

1.0a9 (2017-03-03)

New Features:

  • Make date and datetime fields provide a ‘widget’ attribute. [timo]

  • Add documentation for types endpoint schema. [timo]

  • Add basic groups CRUD operations in @groups endpoints [sneridagh]

  • Make @types endpoint include a ‘mode’ attribute. This fixes [timo]


  • Fix queries to ensure ordering of container items by getObjectPositionInParent. [lgraf]

1.0a8 (2017-01-12)

New Features:

  • Add simple user search capabilities in the GET @users endpoint. [sneridagh]


1.0a7 (2016-12-05)


1.0a6 (2016-11-30)

New Features:

  • Introduce dedicated permission required to use REST API at all (assigned to everybody by default). [lgraf]


  • When token expires, PAS plugin should return an empty credential. [ebrehault]

1.0a5 (2016-10-07)


1.0a4 (2016-10-05)

New Features:

  • Make POST request return the serialized object. [timo]

  • Include ‘id’ attribute in responses. [timo]

1.0a3 (2016-09-27)

New Features:

  • Add @users endpoint. [timo]


  • Fix bug where disabling the “Use Keyring” flag wasn’t persisted in jwt_auth plugin. [lgraf]

1.0a2 (2016-08-20)

New Features:

  • Implements navigation and breadcrumbs components [ebrehault]

  • Add widget and support for RichText field in @types component. [ebrehault]

  • Add fieldsets in @types [ebrehault]


  • Disable automatic CSRF protection for @login and @login-renew endpoints: If persisting tokens server-side is enabled, those requests need to be allowed to cause DB writes. [lgraf]

  • Documentation: Fixed parameter ‘data’ to JSON format in JWT Authentication documentation [lccruz]

  • Tests: Fail tests on uncommitted changes to docs/source/_json/ [lgraf]

  • Tests: Use freezegun to freeze hard to control timestamps in response dumps used for documentation. [lgraf]

  • Tests: Limit available languages to a small set to avoid excessive language lists in response dumps used for documentation. [lgraf]

1.0a1 (2016-07-14)

  • Initial release. [timo,buchi,lukasgraf,et al.]

Project details

Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

plone.restapi-1.0a20.tar.gz (370.1 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page