API Reference
Pebble provides PHP endpoints for content management and a JavaScript API for frontend integration.
PHP Endpoints
All endpoints are located in your pebble/ directory. POST endpoints require CSRF token validation.
Authentication
POST pebble/auth.php
| Action | Parameters | Description |
|---|---|---|
check_auth |
None | Check if current session is authenticated |
authenticate |
authKey OR username + password |
Login with credentials |
logout |
None | Destroy session and logout |
Content Loading
GET pebble/load.php (Public - no auth required)
| Parameter | Type | Description |
|---|---|---|
id |
string | Pebble ID to load |
shared |
boolean | Whether to load from shared content directory |
Content Saving
POST pebble/save.php (Auth required)
| Parameter | Type | Description |
|---|---|---|
id |
string | Pebble ID (alphanumeric, hyphens, underscores) |
html |
string | Content to save |
shared |
boolean | Save to shared directory |
csrf_token |
string | CSRF token from session |
Image Upload
POST pebble/upload.php (Auth required)
Accepts multipart form data with an image file. Automatically:
- Validates file type (JPEG, PNG, GIF, WebP)
- Resizes to max 2000x2000px while maintaining aspect ratio
- Compresses for web (JPEG 75%, PNG level 9)
- Returns the new image path
Content Deletion
POST pebble/delete.php (Auth required)
| Parameter | Type | Description |
|---|---|---|
id |
string | Pebble ID to delete |
shared |
boolean | Delete from shared directory |
Deleted content is moved to trash, not permanently removed.
Control Panel
POST pebble/admin.php (Auth required)
| Action | Description |
|---|---|
get_stats | Content/storage/trash counts |
get_system_info | PHP version, GD, Zip, disk space |
check_updates | Check for new Pebble versions |
list_content | List all content items |
list_trash | List deleted items |
restore_trash | Restore deleted item |
delete_trash_item | Permanently delete |
empty_trash | Clear all trash |
get_activity_log | Get activity log entries |
clear_logs | Clear activity log |
update_auth | Change password/auth key |
list_users | List all users (Admin only, Pro) |
add_user | Create new user (Admin only, Pro) |
update_user | Update user role/password (Admin only, Pro) |
delete_user | Remove user (Admin only, Pro) |
get_settings | Get activity log settings |
save_settings | Save activity log settings |
Backup Management
POST pebble/backup.php (Auth required)
| Action | Description |
|---|---|
list | List available backups |
create | Create new backup ZIP |
download | Download backup file |
restore | Restore from backup |
delete | Delete backup file |
get_retention | Get auto-delete days setting |
set_retention | Set auto-delete days |
Pro Endpoints
Zone Content
GET pebble/pro/zone-load.php (Public)
Load zone blocks as JSON with Quill Delta format.
POST pebble/pro/zone-save.php (Auth + License required)
Save zone blocks. Requires valid Pro license.
Repeatable Content
GET pebble/pro/repeatable.php?action=load&id=:id
Load repeatable items array.
POST pebble/pro/repeatable.php (Auth + License required)
Save repeatable items. Requires valid Pro license.
JavaScript API
The global window.Pebble object provides access to core functionality:
// Check authentication status
Pebble.isAuthenticated() // Returns boolean
// Get CSRF token for custom requests
Pebble.getCSRFToken() // Returns token string
// Show notification toast
Pebble.showNotification(message, type) // type: 'success', 'error', 'info'
// Save content programmatically
Pebble.save(id, html, shared) // Returns Promise
// Load content programmatically
Pebble.load(id, shared) // Returns PromiseData Attributes
Core Pebbles
| Attribute | Value | Description |
|---|---|---|
data-pebble | string | Unique pebble ID (required) |
data-pebble-type | "text" | "image" | "link" | Content type (default: text) |
data-pebble-shared | "true" | "false" | Shared across pages |
Zones (Pro)
| Attribute | Value | Description |
|---|---|---|
data-pebble-zone | string | Zone ID (required) |
data-zone-toolbar | string | Custom toolbar (e.g., "bold,italic,link,h3") |
Available toolbar options: bold, italic, underline, h2, h3, list, link
Repeatables (Pro)
| Attribute | Value | Description |
|---|---|---|
data-pebble-repeat | string | Repeatable container ID |
data-pebble-repeat-item | - | Marks existing items |
data-pebble-repeat-template | - | Hidden template for new items |
data-pebble-repeat-min | number | Minimum items (default: 1) |
data-pebble-repeat-max | number | Maximum items (default: 10) |
data-pebble-repeat-clone | "true" | "false" | Show clone button (default: true) |
Supported Pebble Types in Repeatables
Inside repeatable items, you can use any pebble type:
data-pebble="id"- Plain text (default)data-pebble-type="rich"- Rich text with bold/italic/linkdata-pebble-type="image"- Uploadable imagesdata-pebble-type="link"- Editable link (text + URL)
Configuration Reference
All settings are defined in config.php. Key settings:
Authentication
| Constant | Default | Description |
|---|---|---|
PEBBLE_AUTH_KEY | - | 32-char auth key for login |
PEBBLE_AUTH_USERNAME | - | Optional username (requires password) |
PEBBLE_AUTH_PASSWORD | - | Optional password (requires username) |
PEBBLE_AUTO_LOGOUT_MINUTES | 30 | Inactivity timeout (0 to disable) |
Pro Features
| Constant | Default | Description |
|---|---|---|
PEBBLE_WHITE_LABEL | false | Hide Pebble branding |
PEBBLE_CP_SHOW_MEDIA | true | Show Media tab in CP |
PEBBLE_CP_SHOW_USERS | true | Show Users tab in CP |
PEBBLE_CP_SHOW_BACKUPS | true | Show Backups tab in CP |
PEBBLE_CP_SHOW_ACTIVITY | true | Show Activity tab in CP |
PEBBLE_CP_SHOW_SETTINGS | true | Show Settings tab in CP |
Other Settings
| Constant | Default | Description |
|---|---|---|
PEBBLE_TIMEZONE | 'auto' | Timezone for timestamps |
PEBBLE_MAX_UPLOAD_SIZE | 10MB | Max upload file size |
PEBBLE_MAX_IMAGE_WIDTH | 1920 | Max image width (px) |
PEBBLE_JPEG_QUALITY | 85 | JPEG compression (1-100) |
PEBBLE_BACKUP_RETENTION_DAYS | 30 | Auto-delete old backups |
PEBBLE_ACTIVITY_LOG_MAX_ENTRIES | 500 | Max log entries (0=unlimited) |
PEBBLE_DISABLE_UPDATE_CHECK | false | Disable version check telemetry |
Storage Structure
Pebble stores content in flat files under pebble/data/:
pebble/data/
content/ # Page-specific content (id.html)
shared/ # Site-wide content (id.html)
zones/ # Zone blocks (id.json)
repeatable/ # Repeatable arrays (id.json)
uploads/ # Optimized images
trash/ # Deleted items with timestamps
backups/ # ZIP backup filesCSRF Protection
All POST requests that modify data require a CSRF token. The token is:
- Generated per session (32 bytes, cryptographically random)
- Validated with timing-safe comparison
- Required on: save, delete, backup, and admin operations
Get the token from your session or via JavaScript:
const token = Pebble.getCSRFToken();
// Include in your requests
fetch('/pebble/save.php', {
method: 'POST',
body: JSON.stringify({
id: 'my-pebble',
html: 'New content',
csrf_token: token
})
});Next Steps
- Usage Guide - Learn how to use data attributes
- Security - Authentication and protection
- Troubleshooting - Common issues