Skip to main content

plone.restapi is a RESTful hypermedia API for Plone.

Project description Code Health


plone.restapi is a RESTful hypermedia API for Plone.

RESTful Hypermedia API

REST stands for Representational State Transfer. It is a software architectural principle to create loosely coupled web APIs.

Most web APIs have a tight coupling between client and server. This makes them brittle and hard to change over time. It requires them not only to fully document every small detail of the API, but also to write a client implementation that follows that specification 100% correctly and breaks as soon as you change any detail.

A hypermedia API just provides an entry point to the API that contains hyperlinks the clients can follow, just as a human user of a regular website knows the initial URL of the site and then follows hyperlinks to navigate through the site. This has the advantage that the client needs to understand only how to detect and follow links. The URL and other details of the API can change without breaking the client.



Live Demo

A live demo of Plone 5 with the latest plone.restapi release is available at:

Example GET request on the portal root:

$ curl -i -H "Accept: application/json"

Example POST request to create a new document:

$ curl -i -X POST -H "Accept: application/json" -H "Content-Type: application/json" --data-raw '{"@type": "Document", "title": "My Document"}' --user admin:admin

Design Decisions

  • A truly RESTful API (Hypermedia / HATEOAS / Linked-data)

  • JSON is the main target format; support for other formats (HTML, XML) will come later

  • Use HTTP headers (to set format and versioning, also provide URL-based option to make it easier for people to try it out)

  • No versioning; versioning in the HTTP header can be added later

  • Field names just map over (we will not try to clean up attributes or enforce naming standards like pep8 (e.g. isPrincipiaFoldish -> is_folderish)

Software Quality

  • 100% test coverage

  • 100% PEP8 compliant

  • Documentation-first approach for enhancements

Further Reading



The project is licensed under the GPLv2.


  • Timo Stollenwerk, Original Author

  • Thomas Buchberger

  • Lukas Graf

  • Víctor Fernández de Alba

  • Paul Roeland

  • Mikel Larreategi

  • Eric Brehault

  • Andreas Zeidler

  • Carsten Senger

  • Tom Gross

  • Roel Bruggink

  • Yann Fouillat, alias Gagaro

  • Sune Brøndum Wøller


3.2.0 (2018-06-28)

New Features:

  • Add tiles endpoint for getting all available content tiles and its JSONSchema. [sneridagh]

  • Add a tiles behavior to support the new tiles implementation for plone.restapi. [sneridagh]

  • Make sure to include HTTP examples in installed egg, so test_documentation tests also work against a installed release of plone.restapi. [lgraf]

3.1.0 (2018-06-27)

New Features:

  • Plone 5.2 compatibility. [sunew, davisagli, timo]

3.0.0 (2018-06-26)

Breaking Changes:

  • Fix object creation events. Before this fix, creation events were fired on empty not yet deserialized objects. Also a modified event was fired after deserializing e newly created object. Custom content deserializers now must handle the create keyword argument, which determines if deserialization is performed during object creation or while updating an object. [buchi]

  • Include translated role titles in @sharing GET. [lgraf]

  • Image URLs are now created using the cache optimized way. Fixes #494. [erral]

2.2.1 (2018-06-25)


  • Fix ReST on PyPi. [timo]

2.2.0 (2018-06-25)

New Features:

  • Document the use of the Accept-Language HTTP header. [erral]

  • Translate FTI titles on @types endpoint. Fixes #337. [erral]

  • Translate action name, workflow state and transition names in @history endpoint. [erral]

  • Enhance @workflow endpoint to support applying transitions to all contained items and to set effective and expiration dates. [buchi]


  • Make sure DX DefaultFieldDeserializer validates field values. [lgraf]

  • Reindex AT content on PATCH. This fixes issue 531. [buchi]

  • Fix change password on Plone 5.2 [sunew]

  • Plone 5.2 compatible tests. [sunew]

2.1.0 (2018-06-23)

New Features:

  • Include translated role title in @roles GET. [lgraf]

2.0.1 (2018-06-22)


  • Hide upgrades from the add-ons control panel. Fixes issue 532. [maurits]

2.0.0 (2018-04-27)

Breaking Changes:

  • Convert all datetime, DateTime and time instances to UTC before serializing. [thet]

  • Use python-dateutil instead of DateTime to parse date strings when de-serializing. [thet]

  • Make @translations endpoint expandable [erral]

  • Rename the results attribute in @translations endpoint to be ‘items’ [erral]

  • Remove ‘language’ attribute in @translations endpoint from the top-level response entry [erral]

New Features:

  • Expose the tagged values for widgets in the @types endpoint. [jaroel]

  • Render subject vocabulary as items for subjects field. [jaroel]

  • New permission for accessing user information in the GET @user endpoint plone.restapi: Access Plone user information mapped by default to Manager role (as it was before). [sneridagh]


  • Add VHM support to @search [csenger]

1.6.0 (2018-04-17)

New Features:

  • Add expand.navigation.depth parameter to the @navigation endpoint. [fulv, sneridagh]

1.5.0 (2018-04-03)

New Features:

  • Allow users to update their own properties and password. [sneridagh]

1.4.1 (2018-03-22)


  • Fix serialization of Discussion Item and Collection content types when called with fullobjects parameter. [sneridagh]

1.4.0 (2018-03-19)

New Features:

  • Add expandable @actions endpoint to retrieve portal_actions. [csenger,timo,sneridagh]

1.3.1 (2018-03-14)


  • Support null in content PATCH requests to delete a field value (Dexterity only). This fixes #187. [csenger]

1.3.0 (2018-03-05)

New Features:

  • Observe the allow_discussion allowance (global, fti, object) on object serialization. [sneridagh]

  • Add @email-send’ endpoint to allow authorized users to send emails to arbitrary addresses (Plone 5 only). [sneridagh]

1.2.0 (2018-02-28)

New Features:

  • Allow users to get their own user information. [erral]


  • Mark uninstall profile as non-installable. [hvelarde]

  • Fix the use of fullobjects in Archetypes based sites @search [erral]

  • Fix workflow translations with unicode characters. [Gagaro]

  • Fix workflow encoding in transition endpoint. [Gagaro]

1.1.0 (2018-01-24)

New Features:


  • Remove warning about alpha version from docs. [timo]

1.0.0 (2018-01-17)


  • Remove deprecated getSiteEncoding import. [timo]

  • Build documentation on Plone 5.0.x (before: Plone 4.3.x). [timo]

1.0b1 (2018-01-05)

Breaking Changes:

  • Rename ‘url’ attribute on navigation / breadcrumb to @id’. [timo]

New Features:

  • Allow client to ask for the full representation of an object after creation by setting the ‘Prefer’ header on a PATCH request. [Gagaro]

  • Support deserialization of a relationChoice field using the contents of the serialization (enhanced by the serializer) output. [sneridagh]

  • Allow properties when adding a user. This allows setting the fullname by anonymous users. [jaroel]

  • Add support for IContextSourceBinder vocabularies on JSON schema Choice fields adapters. [sneridagh]

  • Add upgrade guide. [timo]


  • Fix issue where POST or PATCH a named file with a download link would always return self.context.image, not the actual file. [jaroel]

  • Fix DateTimeDeserializer when posting None for a non-required field. [jaroel]

  • Fixed ‘required’ for DateTime fields. [jaroel]

  • Batching: Preserve list-like query string params when canonicalizing URLs. [lgraf]

  • Fixed NamedFieldDeserializer to take a null to remove files/images. [jaroel]

  • Fixed NamedFieldDeserializer to validate required fields. [jaroel]

  • Prevent a fatal error when we get @workflow without permission to get review_history worfklow variable. [thomasdesvenain]

  • Make user registration work as default Plone behavior by adding the Member role to the user. [sneridagh]

1.0a25 (2017-11-23)

Breaking Changes:

  • Remove @components navigation and breadcrumbs. Use top level @navigation and @breadcrumb endpoints instead. [timo]

  • Remove “sharing” attributes from GET response. [timo,jaroel]

  • Convert richtext using .output_relative_to. Direct conversion from RichText if no longer supported as we always need a context for the ITransformer. [jaroel]

New Features:

  • Add fullobjects parameter to content GET request. [timo]

  • Include descriptions of modified fields in object-modified event. [buchi]

  • Add uninstall profile [davilima6]

  • Add include_items option to SerializeFolderToJson. [Gagaro]


  • Fix error messages for password reset (wrong user and wrong password). [csenger]

  • Fix #440, URL and @id wrong in second level get contents call for folderish items. [sneridagh]

  • Fix #441, GET in a folderish content with ‘fullobjects’ is including all items recursively. [sneridagh]

  • Fix #443, Ensure the userid returned by authenticateCredentials is a byte string and not unicode. [Gagaro]

1.0a24 (2017-11-13)

New Features:

  • Add ‘is_editable’ and ‘is_deletable’ to the serialization of comments objects. Also refactored the comments endpoint to DRY. [sneridagh]

  • Improve is_folderish property to include Plone site and AT content types [sneridagh]


  • Cover complete use cases of file handling in a content type. This includes removal of a image/file and being able to feed the PATCH endpoint with the response of a GET operation the image/file fields without deleting the existing value. [sneridagh]

1.0a23 (2017-11-07)


1.0a22 (2017-11-04)

New Features:

  • Add @translations endpoint [erral]

  • Include title in site serialization. [buchi]

  • Include is_folderish property on GET request responses. Fixes #327. [sneridagh]


  • Strip spaces from TextLine values to match z3c.form implementation. [jaroel]

  • Disallow None and u’’ when TextLine is required. Refs #351. [jaroel]

  • Make getting ‘/@types/{type_id}’ work for non-DX types, ie “Plone Site”. [jaroel]

  • Remove Products.PasswortResetTool from since it is a soft dependency. It is included in Plone >= 5.1. [tomgross]

  • Update pytz to fix travis builds [sneridagh]

1.0a21 (2017-09-23)

New Features:


  • Fix ZCML load order issue by explicitly loading permissions.zcml from CMFCore. [lgraf]

  • Fix @id values returned by @search with ‘fullobjects’ option [ebrehault]

  • Re-add skipped tests from @breadcrumbs and @navigation now that expansion is in place. [sneridagh]

1.0a20 (2017-07-24)


  • Support content reordering on the site root. [jaroel]

  • Support setting Layout on the site root. [jaroel]

  • Add clarification when using SearchableText parameter in plone.restapi to avoid confusions [sneridagh]

1.0a19 (2017-06-25)

New Features:

  • Implement upload endpoint. [buchi]

1.0a18 (2017-06-14)

New Features:

  • Add “&fullobject” parameter in @search to retrieve full objects [ebrehault]


1.0a17 (2017-05-31)

Breaking Changes:

  • Change RichText field value to use ‘output’ instead of ‘raw’ to fix inline paths. This fixes #302. [erral]

New Features:

  • Automatically publish docker images on [timo]


  • Docs: Fix batching example request/response. [lgraf]

1.0a16 (2017-05-23)

New Features:

  • Add @comments endpoint. [jaroel,timo,pjoshi]

  • Add @roles endpoint to list defined global roles. [jaroel]

  • Add JSON schema to @registry listing. [jaroel]

  • Allow to manipulate the group membership in the @groups endpoint. [jaroel]

  • List and mutate global roles assigned to a user in the @users endpoint. [jaroel]


  • Bind schema field to context to handle context vocabularies. #389 [csenger]

  • The inherit flag was the wrong way around. Blocked inherit showed up as non-blocked. [jaroel]

1.0a15 (2017-05-15)

New Features:

  • Add @translations endpoint [erral]

  • Reorder children in a item using the content endpoint. [jaroel]

  • Add batched listing of registry entries to @registry endpoint. [jaroel]

1.0a14 (2017-05-02)

New Features:

  • Add @history endpoint. [jaroel]


  • Fix the @move endpoint fails to return 403 when the user don’t have proper delete permissions over the parent folder. [sneridagh]

1.0a13 (2017-04-18)

New Features:

  • Add support for a ‘search’ parameter to @sharing. This returns additional principals in ‘entries’, also flagging the acquired and inherited fields. [jaroel]

  • Add support for setting/modifying ‘layout’ on DX and AT content endpoints. [jaroel]

  • Add support for getting the defined layouts on the root types endpoint. [jaroel]


  • Add the title to the workflow history in the @workflow endpoint. This fixes #279. [sneridagh]

  • Don’t fetch unnecessary PasswordResetTool in Plone 5.1 [tomgross]

1.0a12 (2017-04-03)


  • Handle special case when user @move content that cannot delete returning proper 403 [sneridagh]

1.0a11 (2017-03-24)


  • Remove zope.intid dependency from copy/move endpoint. Remove plone.api dependency from principals endpoint. Make ChoiceslessRelationListSchemaProvider available only if z3c.relationfield is installed. This fixes [erral]

  • Remove unittest2 imports from tests. [timo]

  • Add Products.PasswortResetTool to dependencies. This dependency is gone in Plone 5.1. [timo]

  • Make import of LocalrolesModifiedEvent conditional, so plone.restapi doesn’t prevent Plone 4.3 deployments < 4.3.4 from booting. [lgraf]

1.0a10 (2017-03-22)

New Features:

  • Add @sharing endpoint. [timo,csenger,sneridagh]

  • Add @vocabularies endpoint. [timo,csenger,sneridagh]

  • Add @copy and @move endpoints. [buchi,sneridagh]

  • Docs: Convert all HTTP examples to use sphinxcontrib-httpexample. [lgraf]

  • Add ‘addable’ attribute to the @types endpoint. It specifies if the content type can be added to the current context. See [jaroel]

  • Add support for named IJsonSchemaProvider adapter to target a single field in a schema. This allows us to prevent rendering all choices in relatedItems. See [jaroel]

  • Add review_state to the folderish summary serializer. [sneridagh]

  • Add @principals endpoint. It searches for principals and returns a list of users and groups that matches the query. This is aimed to be used in the sharing UI widget or other user/groups search widgets. [sneridagh]

  • Add reset-password action to the @users endpoint. [timo,csenger]


  • Fix coveralls reporting. [timo]

  • Return correct @id for folderish objects created via POST. [lgraf]

  • Fix timezone-related failures when running tests through coverage. [witsch]

  • @search endpoint: Also prefill path query dict with context path. This will allow users to supply an argument like path.depth=1, and still have path.query be prefilled server-side to the context’s path. [lgraf]

  • Overhaul JSON schema generation for @types endpoint. It now returns fields in correct order and in their appropriate fieldsets. [lgraf]

  • Add missing id to the Plone site serialization, related to issue #186. [sneridagh]

  • Add missing adapter for IBytes on JSONFieldSchema generator. This fixes the broken /@types/Image and /@types/File endpoints. [sneridagh]

  • Fix addable types for member users and roles assigned locally on @types endpoint. [sneridagh]

1.0a9 (2017-03-03)

New Features:

  • Make date and datetime fields provide a ‘widget’ attribute. [timo]

  • Add documentation for types endpoint schema. [timo]

  • Add basic groups CRUD operations in @groups endpoints [sneridagh]

  • Make @types endpoint include a ‘mode’ attribute. This fixes [timo]


  • Fix queries to ensure ordering of container items by getObjectPositionInParent. [lgraf]

1.0a8 (2017-01-12)

New Features:

  • Add simple user search capabilities in the GET @users endpoint. [sneridagh]


1.0a7 (2016-12-05)


1.0a6 (2016-11-30)

New Features:

  • Introduce dedicated permission required to use REST API at all (assigned to everybody by default). [lgraf]


  • When token expires, PAS plugin should return an empty credential. [ebrehault]

1.0a5 (2016-10-07)


1.0a4 (2016-10-05)

New Features:

  • Make POST request return the serialized object. [timo]

  • Include ‘id’ attribute in responses. [timo]

1.0a3 (2016-09-27)

New Features:

  • Add @users endpoint. [timo]


  • Fix bug where disabling the “Use Keyring” flag wasn’t persisted in jwt_auth plugin. [lgraf]

1.0a2 (2016-08-20)

New Features:

  • Implements navigation and breadcrumbs components [ebrehault]

  • Add widget and support for RichText field in @types component. [ebrehault]

  • Add fieldsets in @types [ebrehault]


  • Disable automatic CSRF protection for @login and @login-renew endpoints: If persisting tokens server-side is enabled, those requests need to be allowed to cause DB writes. [lgraf]

  • Documentation: Fixed parameter ‘data’ to JSON format in JWT Authentication documentation [lccruz]

  • Tests: Fail tests on uncommitted changes to docs/source/_json/ [lgraf]

  • Tests: Use freezegun to freeze hard to control timestamps in response dumps used for documentation. [lgraf]

  • Tests: Limit available languages to a small set to avoid excessive language lists in response dumps used for documentation. [lgraf]

1.0a1 (2016-07-14)

  • Initial release. [timo,buchi,lukasgraf,et al.]

Project details

Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

plone.restapi-3.2.0.tar.gz (443.3 kB view hashes)

Uploaded Source

Built Distribution

plone.restapi-3.2.0-py2-none-any.whl (435.9 kB view hashes)

Uploaded Python 2

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page