Appwrite supports multiple protocols for accessing the server, including REST, GraphQL, and Realtime. The REST API allows you to access your Appwrite server through HTTP requests without the needing an SDK. Each endpoint in the API represents a specific operation on a specific resource.


Appwrite's REST APIs expect certain headers to be included with each request:

X-Appwrite-Project: [PROJECT-ID]requiredThe ID of your Appwrite project
Content-Type: application/jsonrequiredContent type of the HTTP request. Would usually be application/json.
X-Appwrite-Key: [API-KEY]optionalAPI key used for server authentication. Your API key is a secret, do not use it in client applications.
X-Appwrite-JWT: [TOKEN]optionalToken used for JWT authentication, tokens can be generated using the Create JWT method.
X-Appwrite-Response-Format: [VERSION-NUMBER]optionalVersion number used for backward compatibility. The response will be formatted to be compatible with the provided version number. This helps Appwrite SDKs keep backward compatibility with Appwrite server API version.
X-Fallback-Cookies: [FALLBACK-COOKIES]optionalFallback cookies used in scenarios where browsers do not allow third-party cookies. Often used when there is no Custom Domain set for your Appwrite API.


Appwrite supports multiple authentication methods, including account sessions, API keys, and JWTs. The authentication method you use depends on your use case. Below are examples showing how you can authenticate using the REST API.

Client integrations

You can create account sessions with POST requests to the Account API. Sessions are persisted using secured cookies. You can learn more about session persistence in the Authentication Guide.

The example below shows creating an account session with the Create Account Session with Email endpoint.

POST /v1/account/sessions/email HTTP/1.1
Content-Type: application/json
X-Appwrite-Project: [PROJECT_ID]

  "email": "",
  "password": "password"

You can find the cookies used to persist the new session in the response headers.

Set-Cookie: a_session_61e71ec784ab035f7259_legacy=eyJ0...aSJ9; expires=Tue, 19-Dec-2023 21:26:51 GMT; path=/;; secure; httponly
Set-Cookie: a_session_61e71ec784ab035f7259=eyJ0...aSJ9; expires=Tue, 19-Dec-2023 21:26:51 GMT; path=/;; secure; httponly; samesite=None

These cookies are used in subsequent requests to authenticate the user.

GET /v1/account HTTP/1.1
Cookie: a_session_61e71ec784ab035f7259_legacy=eyJ0...aSJ9; a_session_61e71ec784ab035f7259=eyJ0...aSJ9
Content-Type: application/json
X-Appwrite-Project: [PROJECT_ID]

Server integrations

Server integrations use API keys to authenticate and are typically used for backend applications.

Server APIs are authenticated with API keys instead of account sessions. Simply pass an API key in the X-Appwrite-key: [API-KEY] header with the appropriate scopes.

GET /v1/databases/{databaseId}/collections/{collectionId}/documents HTTP/1.1
Content-Type: application/json
X-Appwrite-Project: [PROJECT_ID]
X-Appwrite-Key: [API_KEY]


JWT authentication is frequently used by server applications to act on behalf of a user. Users generate tokens using the Create JWT endpoint. When issuing requests authenticated with a JWT, Appwrite will treat the request like it is from the authenticated user.

GET /v1/account HTTP/1.1
Content-Type: application/json
X-Appwrite-Project: [PROJECT_ID]
X-Appwrite-JWT: [TOKEN]


Appwrite implements resumable, chunked uploads for files larger than 5MB. Chunked uploads send files in chunks of 5MB to reduce memory footprint and increase resilience when handling large files. Appwrite SDKs will automatically handle chunked uploads, but it is possible to implement this with the REST API directly.

Upload endpoints in Appwrite, such as [Create File] (/docs/references/cloud/client-web/storage#createFile) and [Create Deployment] (/docs/references/cloud/server-nodejs/functions#createDeployment), are different from other endpoints. These endpoints take multipart form data instead of JSON data. To implement chunked uploads, you will need to implement the following headers. If you wish, this logic is already available in any of the Appwrite SDKs.

X-Appwrite-Project: [PROJECT-ID]requiredThe ID of your Appwrite project
Content-Type: multipart/form-data; boundary=[FORM-BOUNDARY]requiredContains the content type of the HTTP request and provides a boundary that is used to parse the form data.
Content-Range: bytes [BYTE-RANGE]requiredContains information about which bytes are being transmitted in this chunk, with the format [FIRST-BYTE]-[LAST-BYTE]/[TOTAL-BYTES].
X-Appwrite-ID: [FILE-ID]requiredContains ID of the file this chunk belongs to.
X-Appwrite-Key: [API-KEY]optionalAPI key used for server authentication. Your API key is a secret, do not use it in client applications.

The multipart form data is structured as follows:

KeyValueFile NameDescription
fileIdoptional[FILE-ID]N/AContains the file ID of the new file. Only used by file chunks following the first chunk uploaded.
filerequired[CHUNK-DATA][FILE-NAME]Contains file chunk data.
permissionsrequired[PERMISSION ARRAY]N/AContains an array of permission strings about who can access the new file.

While cURL and fetch are great tools to explore other REST endpoints, it's impractical to use for chunked file uploads because you need to split files into chunks.

The multipart form data posted to file upload endpoints have the following format:

POST /v1/storage/buckets/default/files HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye0m6iNBQNHlzTpVM
X-Appwrite-Project: demo-project
Content-Range: bytes 10485760-12582912/12582912
X-Appwrite-ID: 6369b0bc1dcf4ff59051

Content-Disposition: form-data; name="fileId"

Content-Disposition: form-data; name="file"; filename="file.txt"
Content-Type: application/octet-stream

Content-Disposition: form-data; name="permissions[]"



Some use cases do not allow custom headers, such as embedding images from Appwrite in HTML. In these cases, you can provide the Appwrite project ID using the query parameter project.

<img src="[ENDPOINT]/v1/storage/buckets/[BUCKET_ID]/files/[FILE_ID]/preview?project=[PROJECT_ID]"/>


Appwrite SDKs have helpers to generate permission string formats, but when using Appwrite without SDKs, you'd need to create the strings yourself.

Query methodAPI string"[PERMISSION_ROLE]")


Appwrite SDKs have helpers to generate roles string formats, but when using Appwrite without SDKs, you'd need to create the strings yourself.

Role methodAPI string
Role.user([USER_ID], [STATUS])user:[USER_ID]/[STATUS][TEAM_ID])team:[TEAM_ID][TEAM_ID], [ROLE])team:[TEAM_ID]/[ROLE]

Unique ID

Appwrite's SDKs have a helper ID.unique() to generate unique IDs. When using Appwrite without an SDK, pass the string "unique()" into the ID parameter.


Appwrite's SDKs provide a Query class to generate query strings. When using Appwrite without an SDK, you can template your own strings with the format below.

Query strings are passed to Appwrite using the queries parameter. You can attach multiple query strings by including the array parameter multiple times in the query string: queries[]="..."&queries[]="..."

Query methodAPI string
equalequal("attribute", [value])
notEqualnotEqual("attribute", [value])
lessThanlessThan("attribute", [value])
lessThanEquallessThanEqual("attribute", [value])
greaterThangreaterThan("attribute", [value])
greaterThanEqualgreaterThanEqual("attribute", [value])
betweenbetween("attribute", lowerBound, upperBound)
startsWithstartsWith("attribute", [value])
endsWithendsWith("attribute", [value])
searchsearch("attribute", [value])
Best practice

When using greater than, greater than or equal to, less than, or less than or equal to, it is not recommended to pass in multiple values. While the API will accept multiple values and return results with or logic, it's best practice to pass in only one value for performance reasons.

Rate limits

Appwrite's REST APIs are protected by the same rate limit policies, just like when using an SDK. Each API has a different rate limit, which is documented in the References section of each service in the Appwrite documentation.

Learn more about Rate Limits.


Appwrite provides a full REST API specification in the OpenAPI 3 and Swagger 2 formats every release. These can be accessed through Appwrite's GitHub repository and rendered using a variety of parsers and tools.

Find the REST API specification for your Appwrite version.