studio-api (GraphQL + GitHub webhook)
Studio owns sites, site settings, forms, email templates, assets, API keys, presence, experiments, storefront editing/building, and site AI-search controls. It manages delivery configuration; it does not serve the Commerce storefront REST API.
Runtime
| Property | Current contract |
|---|---|
| Production API origin | https://api.studio.inblack.app |
| GraphQL | POST /graphql |
| GitHub provider callback | /api/v1/webhooks/github |
| GraphQL operations | 84: 37 queries, 46 mutations, 1 subscription |
| HTTP registrations | 8 total; GraphQL, health, playground, and GitHub callback are externally classified |
studio.inblack.app is the Studio SPA origin, not the API origin.
Example
curl https://api.studio.inblack.app/graphql \ -H "Authorization: Bearer <token>" \ -H "X-Tenant-ID: <tenant-id>" \ -H "Content-Type: application/json" \ -d '{"query":"{ studioSites(limit: 5) { id domain status framework } }"}'The GraphQL mount is wrapped by Portal authorization for the Studio product. Individual operations can add feature, role, and permission requirements. See the GraphQL operation reference.
Key boundaries
- Studio administrative credentials are not storefront SDK keys.
- Internal Connect handlers for forms, API keys, and email templates use service-token auth and are excluded from public documentation.
/api/v1/webhooks/githubis an inbound provider callback, not a general-purpose customer endpoint.- Studio API-key rotation and revocation require MCP approval when performed through the agent surface, even though those tools are cataloged as T2.
Related
Loading index…