API Overview
The TDC Site Builder REST API — base URL, request and response formats, error handling, and rate limits.
The TDC Site Builder REST API lets you programmatically manage workspaces, sites, pages, forms, collections, and blog content — and configure outbound webhooks. Anything you build manually in the dashboard can be automated through the API.
This section covers everything a developer needs:
Authentication
Generate a secret key and authenticate every request.
API Reference
All endpoints, grouped by resource, with examples.
Webhooks
Receive real-time event notifications on your server.
Event Types
The full catalog of webhook events and payloads.
The API and webhooks require a plan that includes API & Webhooks feature (typically the higher tiers). If your workspace doesn't include it, the API & Webhooks area shows a locked overlay. See Feature Access.
Base URL
All endpoints are served under a single versioned base URL:
https://yourapp.com/api/v1/Every path in the API Reference is relative to this base.
Request Format
- Transport: HTTPS only. Plain HTTP requests are rejected.
- Authentication: A Bearer token in the
Authorizationheader on every request. Your API key starts withtdc_. See Authentication. - Body: Send JSON with
Content-Type: application/jsonfor writing/mutation endpoints (e.g. configuring Webhooks).
curl -X POST https://yourapp.com/api/v1/webhooks \
-H "Authorization: Bearer tdc_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"workspaceId": "ws_abc123",
"name": "CRM Sync",
"url": "https://hooks.example.com/tdc",
"events": ["form.submission.created"]
}'Response Format
Successful responses return HTTP 2xx with a JSON envelope indicating ok: true. The payload is under a data key; list endpoints include a meta object with pagination details (using limit and indicating whether there is more data via hasMore).
{
"ok": true,
"data": {
"id": "site_a1b2c3",
"name": "Marketing Site",
"subdomain": "marketing-site.sites.tdcapps.com"
}
}A paginated list response:
{
"ok": true,
"data": [ { "id": "page_1" }, { "id": "page_2" } ],
"meta": {
"page": 1,
"limit": 20,
"total": 42,
"hasMore": true
}
}Error Handling
Errors return a non-2xx status and a flat JSON body containing ok: false, a machine-readable error code, and a human-readable message.
{
"ok": false,
"error": "UNAUTHORIZED",
"message": "Invalid or revoked API key."
}| Status | Code | Meaning |
|---|---|---|
400 | BAD_REQUEST | Malformed JSON, invalid query parameters, or missing required fields. |
401 | UNAUTHORIZED | Missing, malformed, or revoked API key. |
403 | FORBIDDEN | Authenticated, but your role or plan doesn't permit this action. |
404 | NOT_FOUND | The resource doesn't exist or isn't visible to your key. |
429 | RATE_LIMITED | Too many requests — slow down (see below). |
5xx | SERVER_ERROR | An unexpected error on our side. |
Always branch on the HTTP status first, then read the error string for precise handling. A 403 often means a plan or role limitation rather than a bug — see How Billing & Features Work.
Rate Limits
Requests are limited to 1,000 requests per hour, per API key. This limit is tracked using a sliding-window in-memory rate limiter per server instance.
If you send too many requests, the API returns a 429 status with the error code RATE_LIMITED. When this happens, wait a moment and try again. For apps that make lots of requests, add a delay that gets longer after each failed attempt (for example, wait 1 second, then 2, then 4, then 8—this is called "exponential backoff").