You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Directus v11.16.1 (March 10, 2026) added an OPENAPI_ENABLED environment variable — a flag to completely disable the OpenAPI spec output. This isn't a feature for developers. It's a feature for enterprise security teams who want API obscurity ("don't advertise our schema to the world"). It signals that enterprise customers are pushing CMS vendors hard on API security controls.
Meanwhile, Payload's most-commented open issue (#6382, 62 comments) is about cloud storage socket capacity. Strapi's top infrastructure concern is relation handling at scale. No headless CMS has a proper API gateway with scoped access keys.
The Opportunity
Numen's REST API is auth'd via Laravel Sanctum tokens — all-or-nothing access. For enterprise teams:
Marketing automation tools should only access content endpoints, not admin
External agencies should have read-only access to specific content types
CI/CD pipelines need write access to drafts but never to published production content
Third-party integrations should have rate limits independent of human editor limits
API Gateway with Scoped Keys turns Numen into an enterprise-grade content platform, not just a CMS with an API.
Proposed Feature: Numen API Gateway & Scoped Access Keys
Core capabilities:
1. Scoped API Keys
Named keys with configurable permissions (read/write/admin per resource type)
Content-type scoping: key A can only access posts, media; key B has full access
Space-level isolation: multi-space deployments can have space-bound keys
Expiry dates and automatic rotation
2. Per-Key Rate Limiting
Independent rate limit budgets per key (separate from user sessions)
Burst allowance + sustained rate configuration
Usage metrics per key (requests/day, bandwidth, error rate)
3. API Usage Analytics Dashboard
Request volume per key over time
Top endpoints, error rates, latency percentiles
Alert thresholds ("notify if key X exceeds 1000 req/hour")
Toggle spec exposure per environment (mirroring Directus signal)
Scope-aware spec generation: key only sees endpoints it can access
Competitor Context
CMS
API Auth
Scoped Keys
Per-Key Rate Limits
API Analytics
Strapi
JWT / API key
❌ Global only
❌
❌
Payload
API keys
❌
❌
❌
Directus
Static tokens / OAuth
❌
❌
❌
Contentful
Delivery/Preview/Management
✅ Read/Write split
❌
Basic
Numen (proposed)
Sanctum + Scoped Keys
✅ Full scoping
✅
✅
Contentful's CDA/CMA key split is the only competitor with any scoping. We'd surpass Contentful's model significantly.
Why AI-First Makes This Better
Numen's AI pipeline can auto-detect misuse patterns:
"This key is pulling your full content catalog every 5 minutes — suggest a webhook instead"
"Key X has failed 400 auth attempts in the last hour — auto-suspend with notification"
"This integration pattern matches a content sync job — suggest dedicated sync API endpoint"
Priority
HIGH — Enterprise sales blocker. Every B2B customer evaluating Numen will ask "can I give my agency read-only access without exposing the admin API?" Currently the answer is no.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Overview
Directus v11.16.1 (March 10, 2026) added an
OPENAPI_ENABLEDenvironment variable — a flag to completely disable the OpenAPI spec output. This isn't a feature for developers. It's a feature for enterprise security teams who want API obscurity ("don't advertise our schema to the world"). It signals that enterprise customers are pushing CMS vendors hard on API security controls.Meanwhile, Payload's most-commented open issue (#6382, 62 comments) is about cloud storage socket capacity. Strapi's top infrastructure concern is relation handling at scale. No headless CMS has a proper API gateway with scoped access keys.
The Opportunity
Numen's REST API is auth'd via Laravel Sanctum tokens — all-or-nothing access. For enterprise teams:
API Gateway with Scoped Keys turns Numen into an enterprise-grade content platform, not just a CMS with an API.
Proposed Feature: Numen API Gateway & Scoped Access Keys
Core capabilities:
1. Scoped API Keys
posts,media; key B has full access2. Per-Key Rate Limiting
3. API Usage Analytics Dashboard
4. Webhook Signing & Verification
5. OpenAPI Visibility Control
Competitor Context
Contentful's CDA/CMA key split is the only competitor with any scoping. We'd surpass Contentful's model significantly.
Why AI-First Makes This Better
Numen's AI pipeline can auto-detect misuse patterns:
Priority
HIGH — Enterprise sales blocker. Every B2B customer evaluating Numen will ask "can I give my agency read-only access without exposing the admin API?" Currently the answer is no.
Scope: M (Sanctum token scoping + middleware + admin UI + analytics)
Beta Was this translation helpful? Give feedback.
All reactions