Contentstack Vibe Docs

Out of the box, an agent will confidently write Contentstack code that points at the wrong region, mixes SDK versions, or invents an endpoint that doesn't exist. Vibe docs sit next to your agent and load only what's relevant: 34 reference files covering REST, GraphQL, CMA, Image Delivery, both TypeScript SDKs, Live Preview, OAuth, and the framework patterns for Next.js, Nuxt, and Gatsby.

One install, every major coding agent: Claude Code, Cursor, GitHub Copilot, Windsurf, Cline, Codex, Gemini CLI, and 25+ more.

Contribute on GitHub

One command, every agent

The skills CLI auto-detects the agents you have installed and wires up vibe docs for all of them. No per-tool config, no manual file copying.

For any Agent

npx skills add contentstack/contentstack-vibe-docs

npx skills add contentstack/contentstack-vibe-docs

Already installed? Check for updates with

npx skills check
npx skills update

npx skills check
npx skills update

The deliberate way

If you'd rather install for one specific agent, or your tool has its own native install path, pick yours below.

Claude Code

claude skill add contentstack/contentstack-vibe-docs

claude skill add contentstack/contentstack-vibe-docs

Cursor

npx skills add contentstack/contentstack-vibe-docs -a cursor
GitHub Copilot

npx skills add contentstack/contentstack-vibe-docs -a cursor
GitHub Copilot

Find more ways to install.

About Contentstack Vibe Docs

AI agents know about Contentstack but they often don't know which endpoint serves your region, the difference between ssr: true and ssr: false in Live Preview, or what's actually in the current SDK. The official documentation is thorough, and far too large for an agent to load in one go.

Vibe docs are condensed, AI-optimized references that load on demand. Thirty-four reference files in total, but the agent never reads all of them. The skill works in three stages:

Discovery the agent sees the skill name and description.
Activation the agent reads the routing table and decision helpers.
Execution the agent reads 1–3 targeted reference files on demand.

"/contentstack-vibe-docs add live preview to my Next.js app"
→ Agent loads SKILL.md         (routing table, ~3,500 tokens)
→ Reads live-preview/concepts  (how Live Preview works)
→ Reads live-preview/ssr-mode  (SSR implementation)
→ Reads frameworks/nextjs      (Next.js patterns)
→ Implements with correct code"/contentstack-vibe-docs add live preview to my Next.js app"
→ Agent loads SKILL.md         (routing table, ~3,500 tokens)
→ Reads live-preview/concepts  (how Live Preview works)
→ Reads live-preview/ssr-mode  (SSR implementation)
→ Reads frameworks/nextjs      (Next.js patterns)
→ Implements with correct code

What's covered

Thirty-four reference files across APIs, SDKs, Live Preview, frameworks, authentication, extensions, and regions. The agent's routing table picks the 1–3 files it needs for any given task.

Topic	Details
APIs	REST, GraphQL, Content Management, Image Delivery
SDKs	TypeScript Delivery SDK, Management SDK
Live Preview	CSR mode (postMessage), SSR mode (per-request factory), Visual Builder, debugging
Frameworks	Next.js, Nuxt, Gatsby
Authentication	OAuth with Auth.js, token types, roles & permissions
Workflows	Webhooks, releases, content workflows, branches & aliases, environments
Personalization	Variants and Personalize SDK
Extensions	CLI plugins, Developer Hub apps, Launch deployments
Regions	US, EU, AU, Azure NA/EU, GCP NA/EU

Security built in

Credential handling rules are embedded in the skill itself, not bolted on as an afterthought. Your agent gets the same security instincts a senior engineer would, by default, every time, on every project.

Credentials never leak

Agents are eager to be helpful, which is exactly the problem. Without guardrails they'll happily hardcode an API key into a file or paste a Management Token into a frontend component. Vibe docs rewires that instinct.

Environment variables only. The agent is instructed to write process.env.CONTENTSTACK_API_KEY, never the literal value, never a placeholder it might forget to swap out later.
Token paste detection. If you accidentally paste a real token into the chat, the agent flags it, suggests rotation, and refuses to use it inline.
Server-side enforcement. Management Tokens are flagged as server-side only. The agent will refuse to put them in client-side code, even if you ask.
.env stays local. The agent is instructed never to commit .env files or write them into examples that might be copied into a repo.

Patterns get caught early

Most security failures aren't dramatic, they're someone using the wrong token type, hitting the wrong endpoint, or mixing SDK patterns in a way that quietly leaks data. Vibe docs catches the boring stuff before it ships.

Red Flags checklist. A dedicated section in the skill lists specific anti-patterns the agent must refuse, from hardcoding secrets to mixing Delivery and Management SDK patterns incorrectly.
Questions before code. The agent is guided to ask about region, environment, and token type before writing anything. The right pattern depends on the answer, and getting it wrong is expensive to undo.
Token type guidance. Delivery, Preview, Management, Authtoken, OAuth: the skill knows when each is appropriate and which one to refuse outright for the task at hand.
Region awareness. Wrong-region credentials silently fail or hit the wrong data. The skill checks for region context and writes code that works on the stack you're actually using.

Important Resources

Want to know something specific? Read up on our official docs, browse the academy or join the community.

ChatGPT Image Feb 25, 2026, 03_29_51 PM.png

Contentstack agent skills security policy

This policy defines the minimum security requirements for building, publishing, and maintaining Agent Skills within the Contentstack ecosystem. It protects users, content, and systems from prompt injection, unsafe markdown rendering, and model hallucinations.

aisecurity

BLOG•Feb 25, 2026

ChatGPT Image Feb 20, 2026, 04_16_11 PM.png

Agents are users now and this website is ready

AI assistants are now part of every developer's workflow. This post covers why we built developers.contentstack.com to serve both humans and agents, and how to connect any MCP-capable client to start building on top of it in minutes.

aiapimcp...

BLOG•Feb 23, 2026

The future of software is bespoke

This article explores why generic SaaS dashboards are becoming outdated as modern APIs, SDKs, scaffolding, and AI-assisted development enable teams to quickly build bespoke interfaces tailored to their exact workflows. It discusses how platforms should provide core infrastructure while teams take ownership of the experience layer, and examines both the benefits and trade-offs of this new paradigm.

aisdkapi...

BLOG•Mar 25, 2026

Plot twist! AI made developers more valuable.

This article challenges the common belief that AI will replace developers, suggesting instead that AI actually increases developers' value by boosting their productivity and exposing inefficiencies in non-technical roles. The real organizational shift is towards reducing layers between problems and code, making developers more essential than ever.

aiopinion

BLOG•Feb 4, 2026