A First Look at Enonic XP 8

At the latest Enonic Meetup, architect Sergey gave the community a first-ever live demo of Enonic XP 8—an exciting leap forward for developers building secure, modern, and flexible web solutions.

From the new universal API layer to runtime features like virtual host context injection, XP 8 is packed with improvements that streamline development while tightening control and security.

See the presentation:

Why XP 8 Is a Big Deal

Until now, XP developers have worked with APIs through services, endpoints, and frameworks like Guillotine.

While powerful, these patterns often required implicit understanding of how XP was wired. In XP 8, API development becomes a first-class, explicit feature.

At the heart of this is the new /api endpoint—a dedicated, discoverable, and secure entry point for all things API. You can now browse, consume, and expose APIs just like any modern platform.

And if you’re building headless, embedded tools, or hybrid frontends, this is going to feel like a huge quality-of-life upgrade.

Say Hello to the Universal API

The Universal API is one of the cornerstones of XP 8. Instead of scattering APIs across service endpoints and custom paths, XP 8 introduces a unified interface:

• Browse all available APIs via /api
• Each app or site can mount its own APIs modularly
• APIs can be scoped to sites, admin tools, or web apps
• Access is secure by default—nothing is exposed unless explicitly configured

This approach provides clean separation and visibility. For instance, the Guillotine GraphQL API now lives comfortably under /api/guillotine, and you can define custom APIs like /api/myapp/hello.

Need JSON introspection? XP 8 offers a /api.json endpoint too, so API discovery can be automated or integrated into tooling.

Hands-On: Secure APIs with Granular Control

Sergey showed how easy it is to define and expose custom APIs. You write a descriptor and a controller, like in previous versions—but now it lives in a dedicated apis/ folder. After deployment, your endpoint becomes visible under /api/your-app/your-api.

But here's the twist: it doesn’t work until you make it available. In XP 8, exposing an API is a deliberate act. You must mount it either globally or per site, and it won’t respond to requests unless allowed. This defensive posture prevents accidental leaks and reinforces best practices from day one.

Even more powerful: you can now mount APIs on specific sites, with support for path scoping via the _ (underscore) path. This lets you build multi-tenant or region-specific APIs without muddying the global namespace.

Virtual Host Context: Timezone-Aware APIs (and Beyond)

XP 8 also introduces a feature called virtual host context injection. Imagine you're serving localized versions of your site in different countries. With XP 8, you can inject attributes like timezone, region, or language directly into the request context—based on domain or host mapping.

This means your APIs and applications can respond dynamically to regional needs without hardcoding logic or building complex routing trees.

For example, a GET /api/time request could return a localized timestamp based on whether the visitor came from api.example.no or api.example.us.

And There’s More on the Way

XP 8 won’t stop at universal APIs and virtual host context. Sergey teased several features already in the works:

• Node patching: Update content programmatically without publishing it
• Granular permission management: Modify access rules without needing to publish nodes
• New Content Studio integration: Fully embracing the updated APIs and workflow enhancements
• Modular reuse of APIs: Add existing APIs like Guillotine to sites with simple mounting
• Enhanced developer ergonomics: XP 8’s tooling feels faster and more intuitive throughout

Built for Developers, Secure by Design

Enonic XP 8 signals a strong shift toward modularity, security, and developer clarity. Whether you’re building modern front-ends with React4XP, deploying headless content APIs, or creating internal tools with admin endpoints, XP 8 provides a consistent, transparent, and scalable architecture.

From GraphQL to REST, from custom business logic to multi-site data delivery, the Universal API system allows developers to build more while worrying less.

XP 8 is still under development, but already functional. Your feedback is welcome. This is your platform—shaped by your needs.