Media API
The Media API uploads, lists, reads, and deletes project-scoped media assets. Media files are stored in S3-compatible object storage, and each request is routed to an explicit project and environment target. All/api/v1/media* endpoints require X-MDCMS-Project and
X-MDCMS-Environment headers.
List Media
/api/v1/media
List media metadata for the routed project and environment.
media:read
Case-insensitive filename search. Blank strings are ignored.
Filter by derived category:
image, video, audio, document, archive,
or other.Filter by the uploading user ID.
Include assets uploaded on or after this
YYYY-MM-DD date.Include assets uploaded through this
YYYY-MM-DD date.Sort by
uploadedAt, filename, or sizeBytes. Defaults to uploadedAt.Sort direction:
asc or desc. Defaults to desc for uploadedAt and
sizeBytes, and asc for filename.Page size from
1 to 100. Defaults to 30.Zero-based page offset. Defaults to
0.INVALID_QUERY_PARAM.
Example request:
Upload Media
/api/v1/media/upload
Upload a file. The request must use
multipart/form-data encoding.media:upload
Content-Type: multipart/form-data
The file to upload. Image uploads are limited by the routed project’s media
image upload setting when configured. Non-image uploads are not subject to
that image limit.
Get Media
/api/v1/media/{id}
Read metadata for one media asset in the routed project and environment.
media:read
Path Parameters
The media asset ID.
Delete Media
/api/v1/media/{id}
Delete a media file. This removes the file from storage and invalidates all
URLs.
media:delete
Path Parameters
The media asset ID.
Webhooks API
Webhooks let you receive real-time HTTP notifications when content changes occur in your project. Configure webhook endpoints to trigger builds, invalidate caches, or sync data with external systems.The Webhooks API is a post-MVP feature. The endpoints are defined and will be
available in an upcoming release.
List Webhooks
/api/v1/webhooks
Returns all webhook configurations for the current project.
webhooks:read
Example request:
Create Webhook
/api/v1/webhooks
Register a new webhook endpoint.
webhooks:write
The HTTPS URL to receive webhook payloads. Must use HTTPS.
List of event types to subscribe to. See Event Types below.
Shared signing secret for HMAC signature verification. Must be 32 to 4096
characters. Studio generates this value automatically for new webhooks; API
clients must provide a cryptographically random value.
Whether the webhook is active. Defaults to
true.Update Webhook
/api/v1/webhooks/{id}
Update an existing webhook configuration.
webhooks:write
Path Parameters
The webhook ID.
Updated HTTPS URL.
Updated event subscriptions.
Updated shared signing secret. Omit this field to preserve the existing
write-only secret.
Enable or disable the webhook.
Delete Webhook
/api/v1/webhooks/{id}
Remove a webhook configuration. Pending deliveries are cancelled.
webhooks:write
Path Parameters
The webhook ID.
Event Types
Webhook Payload
All webhook deliveries use the following envelope:Signature Verification
Every webhook delivery includes anX-MDCMS-Signature header for payload verification:
secret as the key. The raw body must be the exact bytes MDCMS sent; parsing JSON and serializing it again can change whitespace or key order and invalidate the signature.
Verification algorithm:
- Extract the
t(timestamp) andv1(signature) values from the header. - Construct the signed payload:
{timestamp}.{raw_body}. - Compute
HMAC-SHA256(secret, signed_payload). - Compare the computed digest with the
v1value (use constant-time comparison). - Optionally, reject payloads where the timestamp is more than 5 minutes old to prevent replay attacks.
Delivery Behavior
- Async delivery — Webhooks are dispatched asynchronously and do not block the originating API request.
- Retries — Failed deliveries (non-2xx responses or network errors) use three total attempts: the initial attempt, then retries after 1 second and 2 seconds.
- HTTPS only — Webhook URLs must use HTTPS. HTTP URLs are rejected at configuration time.
- Timeout — Each delivery attempt has a 10-second timeout. If the endpoint does not respond within 10 seconds, the attempt is marked as failed.