Content API

Last Updated: 28 Apr 2020


The Content API lets you use Matrix as a headless CMS through a REST API web service.

As a system administrator, you can control what parts of the asset tree can be accessed by the  Content API, and what permission restrictions each Content API should inherit based on the user profile selected.

This extension requires a server administrator to install. Please consult your Squiz account manager to inquiry on how to get this extension installed on your Matrix system.


Read the following prerequisites and information before installing and using the Content API.

This page is replaced by the versioned documentation maintained through Changes made to this page will not be visible once made live.

Key package information

Minimum supported Matrix version

Extension type

Matrix package

Extension version


Installation method

.tgz archive


Admin mode

Minimum user account level

System Administrator

Installing the extension

This extension is installed using the Matrix package installation process.

You can download the extension package from the Content API Squiz Marketplace listing.

See Matrix Packages for basic installation instructions.

After completing the basic installation instructions complete the following additional steps:

  1. As a server  administrator, edit the feature flags configuration file:
    1. /var/www/squiz_matrix/data/private/conf/
  2. Set the SQ_FEATURE_API_ENABLED option to true:
    1. define('SQ_FEATURE_API_ENABLED', true);

Using the extension

You must be a System Administrator or higher to manage Content API access across your Matrix instance.

All Content API tokens are managed through the Content API Manager, which is located under System Management > Content API Manager.

Create tokens beneath this management asset and link the tokens to other root asset nodes you want to access using headless mode.

How to create a Content API token

Tokens can be restricted to assets that are either root nodes, or children of root nodes.

Matrix permissions based on the assigned token user are applied if root node access restrictions are not set against a token.

  1. Click Content API Manager > New Child > Content API Token and set a name for the token.
  2. In the User field, select a user profile from the configured assets.
  3. In the Root Node Restrictions, optionally select one or more assets to apply the access token to.
  4. Click Enabled to set the token to active.
  5. Click Save.
  6. Release the asset locks.

The token asset now has a Token assigned to it. You use this token in an API request to retrieve information from the assets you selected and granted access to.

API reference

The Content API is a read-only (GET) interface: it can not update information stored in Matrix.


The Content API uses Authorization Bearer Tokens for authentication. Session-based authentication is not supported.

A token must be sent in a request to the API using an Authorization: Bearer statement.

Authorization: Bearer abcd1234

The “Bearer” statement keyword is case sensitive. For more information about this statement type, refer to the IETF RFC6750.

A randomly generated unique token value is assigned to the token when the Content API Token asset is created. The token value cannot be changed once it is created.

Error responses

An HTTP 401 Unauthorised response containing a WWW-Authenticate header is returned under the following conditions:

  • The header is malformed
  • The token is invalid because 
    • the asset is disabled or moved into the Trash
    • a user has not been configured against the token.

An HTTP 403 Forbidden response is returned under the following conditions:

  • The user that is configured against the token does not have valid permissions to the requested asset
  • The request is trying to access an asset that is not under an assigned root asset.

An HTTP 404 Not Found response is returned under the following conditions:

  • The requested endpoint does not exist
  • The requested asset does not exist

A 405 Method Not Allowed response is returned when anything other than a GET method verb is used in a request payload.

API documentation

View the Content API Specification for information about the available endpoints with relevant request and response details.

Once the Content API package is installed, endpoint documentation is available from the Content API Manager > Documentation menu within your Matrix instance. This embedded documentation is version-specific. It describes the capabilities of each method offered by the API based on the version you have installed.

If you want to keep the documentation open after you click away from the Content API Manager, click Open in New Window to detach the documentation into a separate browser tab.

Download the specification

You can download the full API specification in OpenAPI v3 format using the Download button within the reference documentation.

Managing the extension

You can manage versions of this extension by upgrading or uninstalling the package.


Upgrading this extension follows the same procedure as the installation process.


To uninstall this extension, you will need assistance from a server administrator.

  1. Log in to Matrix as a system administrator and access admin mode.
  2. Move all Content API Token assets in your Matrix instance to the Trash.
  3. Purge any trashed Content API Token assets from the Trash.
  4. As a server administrator, edit the feature flags configuration file:
    1. /var/www/squiz_matrix/data/private/conf/
  5. Set the SQ_FEATURE_API_ENABLED option to false:
    1. define('SQ_FEATURE_API_ENABLED', false);
  6. Follow the regular package uninstallation steps described in Matrix Package Management.

Send Feedback

Noticed an error?
Want to suggest an improvement?

Let Us Know

Let Us Know What You Think

Let us know if you spot any errors or if you have any ideas on how we can improve the Matrix Community Website.

Contact Squiz for Demo

Let us show you the true power of Squiz Matrix by giving you a personalised demonstration.