Contentstack: behind the "Contact us" wall on a 2026 enterprise headless CMS
Contentstack is the kind of headless CMS where a team scouting it can't actually scout it without being routed to a salesperson. We spent an hour trying to do the basic things — find the price, start a trial, hit the API — the way a developer comparing five tools would. The interesting part isn't a bug: it's that almost every signal a developer uses to size up a tool has been replaced with a sales funnel. Here's the friction we hit, the verbatim error JSON we pulled out of the real Content Delivery API, and where the product fits next to the open-source headless CMSes we already self-host.
We're the team behind SimpleReview, a Chrome extension that drafts code-fix PRs on whatever element you click on a broken admin or storefront. We are not affiliated with Contentstack, not partners, not customers. This page is a scouting note from one real evaluation session on 2026-05-07: public pricing page, public docs, the actual cdn.contentstack.io endpoint with a real curl. We did not buy a seat or sit through a demo call. If we got something wrong, open a GitHub issue and we'll fix it.
Friction 1 — the pricing page is not a pricing page
The first move on any vendor evaluation is to open /pricing. With most enterprise SaaS the page is at minimum a tiered table with two visible numbers and a third "Enterprise: contact us" column. With Contentstack the URL https://www.contentstack.com/pricing resolves, but the entire page below the header is one product pitch and one button:
https://www.contentstack.com/pricing via headless Chrome at 992×558. Headline reads "We have the right solution for you"; the only call-to-action visible above the fold is "Contact us". No tier names, no monthly amount, no seat count.Below the fold the page lists capabilities of the "Contentstack AXP" bundle — Headless CMS, personalization engine, real-time data activation, no-code agents and automations, brand-aware AI, AI writing assistant, visual builder, granular permissions, custom workflows, integrated app and front-end hosting. None of those features carry a price tag, a usage limit, or a tier badge. The CTAs that replace numbers are Request demo, Start free, and Contact us.
If you're trying to put Contentstack into a five-tool comparison spreadsheet on a Tuesday afternoon, you cannot. There is no "Starter $X / Growth $Y" table. There is no per-API-call cost. There is no per-seat cost. The only number-shaped artifact on the public side is a 14-day-or-so free trial that the marketing site implies but doesn't actually let you self-start (more on that below).
Friction 2 — "Start free" routes to a login, not a signup
The marketing nav has a "Start free" link. We followed it. The destination — https://app.contentstack.com/#!/signup — returns HTTP 200, but the rendered page is a login form with a "Log in to Contentstack" headline, an email field, a password field, and a banner advertising ContentCon 2026. There is no visible "Create account" form on the path the marketing site sends you down. Switching to /start-free on the marketing domain returns a 404.
$ curl -sI -L -o /dev/null \
-w "%{http_code} %{url_effective}\n" \
https://www.contentstack.com/start-free
404 https://www.contentstack.com/start-free
$ curl -sI -L -o /dev/null \
-w "%{http_code} %{url_effective}\n" \
"https://app.contentstack.com/#!/signup"
200 https://app.contentstack.com/#!/signupThe 200 above is the login page; the URL fragment #!/signup is client-side, and on this date the SPA does not surface a self-serve registration step from a logged-out state. The path that does work in practice is the demo-request form, which collects company name, role, country, phone, and use case before anyone gets near a sandbox. That's a deliberate choice — Contentstack's go-to-market is enterprise-sales-led — but it's worth knowing before you tell your team "I'll spin one up tonight and report back."
Friction 3 — the AI push, decoded
"Contentstack AI" is the loudest line on the marketing site as of May 2026. Their pitch surfaces three things: brand-aware AI (a writing assistant that respects your tone-of-voice settings), no-code agents and automations (workflows that can call LLMs without writing code), and the freshly-launched ContentCon 2026 banner about an "agentic foundation." A persistent ribbon at the top of every public page reads "Building your agentic foundation | Save your spot!" — pointing at the conference, not at a feature page. Behind that, the substance we could verify in public docs is:
- An "Ask AI" widget on the docs site itself (visible in the top-right of every developer page) — a RAG-over-docs chat assistant.
- A "Copy for LLM" and "View as Markdown" button on every API-reference page, which is a quietly useful change because it means you can paste their docs straight into your IDE assistant or Claude/ChatGPT without scraping HTML.
- An "AI writing assistant" inside the editor — extant but gated behind the same "Request demo" wall as the rest of the product.
contentstack.com/docs/developers/apis/content-delivery-api, captured 2026-05-07. Note the "Copy for LLM" / "View as Markdown" affordances next to the breadcrumbs — concrete, useful, and rare on enterprise docs sites.Net: if you strip the conference marketing, the developer-facing AI surface is a chat-over-docs and an LLM-friendly export. Both are genuinely good ideas other vendors should copy. The "agentic" framing on the marketing site is selling something further out — an event, plus a roadmap — and the gap between the conference language and what's shippable today is a thing to watch for, not against.
What the API actually does — one real call
The pricing page can hide numbers; the production API cannot. The Content Delivery API at cdn.contentstack.io is public-facing CDN; you can hit it without an account and observe its real behaviour (you'll just get an error, but that's the point — the error itself is documentation).
$ curl -sI \
"https://cdn.contentstack.io/v3/content_types/page/entries" \
-H "api_key: invalid" \
-H "access_token: invalid"
HTTP/2 412
date: Thu, 07 May 2026 15:23:40 GMT
content-type: application/json
x-runtime: 2ms
cf-ray: 9f813a26682ad2c6-FRA
server: cloudflare
strict-transport-security: max-age=31557600
vary: x-cs-variant-uid, branch, api_key, access_token
x-served-by: FRA
x-request-id: cb9cc2ca-17c6-411d-a18b-9940a24fc1d9Body of the response, verbatim:
{
"error_message": "We can't find that Stack. Please try again.",
"error_code": 109,
"errors": {
"api_key": ["is not valid."]
}
}That is a clean, well-shaped error. error_code: 109 is documented, the human message names the right entity ("Stack"), the field-level errors object tells you which header was rejected. The x-runtime: 2ms means the validation happened at the edge — Cloudflare-fronted, served from the FRA POP (we're on a Frankfurt-region box), with proper strict-transport-security. The vary header is correctly listing every key that affects the cached representation, including api_key and branch. As CDNs go, this one is wired with care.
The CDA region map is also fully public — you can pick a stack region and the CDN host follows:
| Region | CDN host |
|---|---|
| AWS North America (default) | cdn.contentstack.io |
| AWS EU | eu-cdn.contentstack.com |
| AWS AU | au-cdn.contentstack.com |
| Azure NA | azure-na-cdn.contentstack.com |
| Azure EU | azure-eu-cdn.contentstack.com |
| GCP NA | gcp-na-cdn.contentstack.com |
| GCP EU | gcp-eu-cdn.contentstack.com |
Per the public docs the CDA is on API version 3.0.0; origin-server requests are rate-limited at "80 requests per second per organization" and CDN-cached responses are uncapped. Authentication is two headers — the stack api_key plus an environment-bound access_token. The endpoint surface a developer actually uses is small and predictable: GET /v3/content_types, GET /v3/content_types/{uid}/entries, GET /v3/content_types/{uid}/entries/{entry_uid}, GET /v3/assets, GET /v3/assets/{asset_uid}. None of that is groundbreaking — it's the canonical headless-CMS shape — but it's clean.
Honestly, next to Strapi / Directus / Payload
We've done the same scouting walk on the open-source side — Strapi, Directus, Payload — and the contrast is the article. With each of those three, in under ten minutes you can docker run the stack, log in with a default admin account, define a content type, and curl an entry. The first ten minutes of Contentstack are a sales form. That is the trade.
| Dimension | Contentstack (this scout) | Strapi / Directus / Payload |
|---|---|---|
Time to first curl against your own data |
Behind a sales call. No public sandbox URL we found. | ~10 minutes from docker run to authenticated GET. |
| Public pricing | "Contact us" only. No tier table, no per-call number. | Self-host: free. Cloud tiers: published numbers per project/seat. |
| Multi-region delivery | 7 region URLs across AWS / Azure / GCP, fronted by Cloudflare. | Whatever you put in front of the container. CDN is your job. |
| Compliance posture | SOC 2, ISO 27001, HIPAA available — sold via account managers. | You inherit your own posture. Audit reports require legal work. |
| AI-in-the-editor | Brand-aware writing assistant, agent workflows — gated. | BYO LLM via plugins / hooks. Friction higher, control complete. |
| "Copy for LLM" on docs | Yes — every API-reference page exposes Markdown export. | Strapi / Directus / Payload: docs are MDX in their repos. git clone = same outcome. |
| Vendor lock-in | High. Content lives in their stack; export tooling exists but you're a customer. | Low. The DB is yours. Migration is a SQL dump. |
None of this is a verdict on which is "better." If you're a Fortune-500 retail brand that needs a SOC 2 / ISO 27001 vendor with eight regional POPs and a personalization engine that the legal team will let near customer data, the open-source three are not a like-for-like replacement and Contentstack's wall isn't the wall — the wall is the procurement wall, which would exist regardless. If you're a six-person startup picking the headless CMS your engineers will own end-to-end, the inability to docker run Contentstack on Tuesday night is a real problem and the open-source three are a better fit. The honest take is: Contentstack is sold to a buyer who isn't a developer, and its public surface is shaped accordingly.
Things we'd change
- Publish at least one number on
/pricing. "Starts at $X / month for Y entries / Z requests" is enough to land on a comparison shortlist. The current page won't make a shortlist a developer is filling out. - Make "Start free" actually self-serve. A scoped sandbox stack that survives 14 days, with no demo-request gate, would let evaluators write a real integration before any phone call. Most enterprise headless CMSes (incl. Hygraph, Sanity) already do this.
- Land the "agentic" page before the conference. The top-of-page banner promises a future state; a current-state page enumerating what the AI features do today (with an example workflow JSON, not just video) would close the gap.
- Keep "Copy for LLM" on every doc page. Genuinely good. Steal-able. Other vendors should ship this.
What we'd actually do
If we had a customer with a 50-person editorial team and a localized brand site across 8 markets, we'd budget a Contentstack demo call. The infrastructure is real, the regions are real, the API is clean, and the editor-side AI bets are credible. If we had a startup picking a CMS for the next two years of product, we'd self-host one of Strapi, Directus, or Payload and revisit the question once we had revenue and an editorial team. The mismatch between Contentstack's wall and a developer's evaluation flow isn't a flaw — it's the segmentation. Worth knowing which side of it you're on before you book the call.
Where this fits
Adjacent scouting notes from the same week: Strapi — the open-source headless default, Directus — SQL-first with a real admin, Payload — TypeScript-first headless, Ghost — the headless-blog wedge, PostHog hobby self-host. SimpleReview is the Chrome extension that turns whatever element you click on a broken admin or storefront into a draft code-fix PR — it works on a Contentstack-rendered front end the same way it works on a Strapi one, because by the time the page renders it's just HTML.
Demo: SimpleReview on the Contentstack pricing wall
"api_key":"is required",
"access_token":"is required"
}}
SimpleReview PROapi_key + access_token headers — not Authorization Bearer.