Directus REST & GraphQL API

Open-source data platform wrapping any SQL database (Postgres, MySQL, SQLite) with an instant REST/GraphQL API, admin UI, file management, auth, and role-based access control.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Other directus headless-cms rest-api graphql no-code database open-source
⚙ Agent Friendliness
62
/ 100
Can an agent use this?
🔒 Security
88
/ 100
Is it safe for agents?
⚡ Reliability
82
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
88
Error Messages
82
Auth Simplicity
80
Rate Limits
75

🔒 Security

TLS Enforcement
95
Auth Strength
85
Scope Granularity
90
Dep. Hygiene
85
Secret Handling
85

Fine-grained field-level and collection-level RBAC. Static API tokens for agents — no expiry but revocable. CORS configurable. Self-hosted means you control the security perimeter. Regular security audits and CVE patches.

⚡ Reliability

Uptime/SLA
85
Version Stability
82
Breaking Changes
78
Error Recovery
82
AF Security Reliability

Best When

You have a database and want instant API + admin UI without writing backend code — Directus wraps it with REST, GraphQL, auth, and permissions in minutes.

Avoid When

You need a fully managed cloud CMS with no self-hosting — Directus Cloud exists but the OSS value is in self-hosting.

Use Cases

  • Instant REST API over existing database without custom backend code
  • Agents reading and writing structured data through a typed, permission-controlled API
  • Content management backend for multi-channel publishing (web, mobile, email)
  • Internal tools and admin dashboards with zero backend code via Directus UI
  • File and media management with automatic transformations via Directus Files API

Not For

  • Teams needing a managed SaaS CMS with no infrastructure management (use Contentful)
  • Complex ML/AI data workflows at scale (Directus is not a data warehouse)
  • Real-time subscriptions at massive scale (WebSocket support is basic)

Interface

REST API
Yes
GraphQL
Yes
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
Yes
OpenAPI Spec ↗

Authentication

Methods: bearer_token api_key
OAuth: Yes Scopes: Yes

JWT access tokens (15min) + refresh tokens. Static API tokens for agents (no expiry). OAuth SSO providers (Google, GitHub). Role-based access control with field-level permissions. Public access configurable per collection.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Core is MIT licensed and free to self-host. Cloud hosting is paid. Enterprise support/SLA available.

Agent Metadata

Pagination
offset
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • Permissions are role-based and field-level — missing a permission returns empty data (not an error) which can confuse agents
  • Many-to-many relations require junction collection queries — not transparent in REST like SQL JOINs
  • File uploads require multipart/form-data — JSON-only agents must handle binary upload separately
  • GraphQL and REST have different query syntaxes for the same data — pick one and stick with it
  • JWT access tokens expire in 15 minutes by default — agents must implement refresh token rotation or use static API tokens

Alternatives

strapi-api sanity-api contentful-api hasura-api pocketbase-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Directus REST & GraphQL API.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5173
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered