Drupal JSON:API

Drupal's built-in JSON:API module exposes all content entities as a standards-compliant REST API for headless/decoupled architecture.

Evaluated Mar 06, 2026 (0d ago) v10.x
Homepage ↗ Repo ↗ Other drupal cms json-api php headless
⚙ Agent Friendliness
56
/ 100
Can an agent use this?
🔒 Security
62
/ 100
Is it safe for agents?
⚡ Reliability
60
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
80
Error Messages
75
Auth Simplicity
75
Rate Limits
80

🔒 Security

TLS Enforcement
0
Auth Strength
78
Scope Granularity
75
Dep. Hygiene
80
Secret Handling
78

Access control relies on Drupal's permission system. Enable HTTPS and use OAuth2 — never basic auth in production.

⚡ Reliability

Uptime/SLA
0
Version Stability
82
Breaking Changes
78
Error Recovery
78
AF Security Reliability

Best When

Best for existing Drupal sites adding headless frontend or automating content workflows via standard JSON:API.

Avoid When

Avoid when building a new CMS from scratch — consider Contentful, Sanity, or Strapi for greenfield.

Use Cases

  • Build headless Drupal frontends by fetching nodes, taxonomy, and media via JSON:API endpoints
  • Automate content management workflows by creating/updating nodes programmatically via PATCH/POST
  • Migrate content between Drupal instances using JSON:API for bulk content export and import
  • Build content-driven AI agents that query Drupal content by taxonomy, date, or field filters
  • Integrate Drupal content into multi-source aggregation pipelines using standardized JSON:API responses

Not For

  • Non-Drupal CMS platforms — this evaluation is specific to Drupal's JSON:API module
  • Simple read-only content delivery where a CDN-cached REST API is sufficient
  • Teams expecting a traditional flat REST API — JSON:API has a specific envelope and relationship structure

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
No
Webhooks
No

Authentication

Methods: basic_auth oauth2 cookie
OAuth: Yes Scopes: Yes

Simple OAuth2 module recommended for token auth. Basic auth available but discouraged in production. Anonymous read access configurable per bundle.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

GPL licensed. JSON:API module included in Drupal core since 8.7.

Agent Metadata

Pagination
offset
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • All responses use JSON:API envelope with data.attributes — agents must unwrap, not expect flat field access
  • Relationships (taxonomy terms, media) are separate requests unless include parameter is used — causes N+1 without include
  • Anonymous write access is disabled by default — 403 errors on POST/PATCH without proper role and OAuth token
  • Drupal's internal entity IDs differ from UUID — always use UUID in JSON:API paths, never numeric drupal_internal__id
  • Filters use complex ?filter[field][operator]=value syntax — complex queries across relationships require nested filter syntax

Alternatives

contentful-api strapi-api wordpress-api sanity-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Drupal JSON:API.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5173
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered