AgentAPI

Replit API - Complete Developer Guide to Extensions (GraphQL), Auth, Deployments, Database, Pricing & Limits

This is a practical, developer-focused guide to what people mean by “Replit API” in 2026, how Replit’s platform services fit together, and how to build reliable, production-ready systems on top of them. It’s written for builders shipping real apps: dashboards, SaaS tools, internal utilities, education products, and extensions that need access to Replit platform data.

1) What is “Replit API”?

The phrase “Replit API” can be confusing because it’s used in multiple contexts. Some developers mean “an API I host on Replit” (for example, a Node/Express or Python/FastAPI server running in a Replit App). Others mean “APIs Replit provides that I can call from an external service.” And a third group means “how do I integrate with Replit’s own platform data and tools?”

In 2026, it’s most helpful to think of three layers:

A) Apps you host on Replit (your own API)

This is the simplest meaning: you build an API (REST, GraphQL, WebSocket) in a Replit App, test it in the workspace, and then publish it. Replit’s docs even describe “Create and test APIs” as a core Replit Apps use case. In this sense, “Replit API” isn’t a specific Replit endpoint—it’s the API you deploy using Replit as the platform.

B) Replit platform services (Auth, Database, Storage, Publishing)

Replit includes platform services that your app can use: Replit Auth for user login and management, a built-in SQL Database, and storage options. Publishing/Deployments provide production hosting. These are “Replit APIs” in the sense that you interact with them through configuration, environment variables, and SDKs/clients your app uses (for example, a Postgres connection string for the Database).

C) Replit Extensions & platform data access (GraphQL and more)

If you build extensions or tooling that needs Replit platform metadata—user info, app metadata, workspace context—you’ll use Replit’s Extensions API. Replit publishes a client library for extensions and describes using a GraphQL API for platform data in this context.

Quick takeaway
If you’re building a normal web app: focus on Deployments + Database + Auth and treat Replit like your cloud platform. If you’re building a workspace extension or deep integration: focus on the Extensions API (GraphQL platform data).

2) Replit API ecosystem map (what fits where)

Below is a mental model that will save you time. Each “API surface” exists for a different job, and production apps typically combine them.

Replit Apps

Where your code runs. Build REST/GraphQL/WebSocket endpoints and ship them with publishing/deployments.

Deployments (Publishing)

Turns a workspace snapshot into a production instance. Includes options like static, autoscale, and reserved VMs.

Database & Storage

Built-in SQL database plus storage options for files. Use for persistence instead of writing to deployment filesystem.

Replit Auth

Managed authentication and user management integrated into Replit’s workflow and publishing domains.

Then there are cross-cutting concerns that act like “meta APIs”:

  • Billing & usage credits: credits apply to publishing costs; pay-as-you-go after credits are used.
  • Quotas & limits: CPU/RAM/storage/network constraints vary by plan; there are hard and soft limits.
  • Security practices: secret management, token safety, and avoiding leaking credentials in public apps.

If you build a serious product on Replit, you should treat “API design” as both (1) the endpoints you build for your users and (2) the platform controls that keep your system reliable and affordable.

3) Replit Extensions API & GraphQL platform data

Replit’s Extensions are a way to extend the Replit workspace experience. For extensions that need platform data, Replit references access to a GraphQL API through the Extensions API reference and also maintains an open-source extensions client library repository. That combination is what many developers mean when they say “Replit API” as a platform integration.

When you should use the Extensions API

You should reach for the Extensions API when your product lives inside the Replit workspace experience—or is tightly coupled to it. Examples include:

  • A testing panel that runs structured checks against the current project and shows results in the workspace
  • An API request tester tool (REST/GraphQL) embedded as an extension
  • A code-quality dashboard that summarizes files, dependencies, and project metadata
  • A team tool that reads platform metadata and coordinates workflows in the workspace

GraphQL vs “your own API”

It’s important not to confuse Replit’s internal/platform GraphQL usage with the GraphQL endpoint you might host in your app. If you’re building a workspace extension and you need platform metadata, you’ll use the platform GraphQL surface described by Replit. If you’re building a web app, you might host your own GraphQL/REST endpoints and never touch Replit’s platform GraphQL at all.

Limits note
Replit’s usage limits documentation explicitly mentions limits on the frequency and size of requests to Replit’s internal GraphQL API. That means your extension should be efficient: query only what you need, cache results, and debounce UI-driven queries.

How to build a stable extension integration

Production rules for “API-like” extension behavior:

  • Debounce UI events (typing, clicking, rapid navigation) before making GraphQL requests.
  • Cache platform data for the session; re-fetch only when necessary or after a TTL.
  • Handle 429/5xx gracefully with backoff and user-friendly messaging.
  • Keep payloads small: request only fields you will render; avoid huge nested selections.
  • Prefer incremental fetch: fetch “summary first,” then load details on demand.

Practical use cases for GraphQL platform data

Even without listing every field in the schema, you can plan the integration in terms of job-to-be-done:

  • User identity and account context: show personalized extension settings and preferences.
  • App metadata: show a dashboard for project status, environment details, or configuration hints.
  • Publishing status: connect extension UI to deployment workflows, monitoring, or snapshots.

Legacy “Repl.it API” code execution endpoint (historical context)

You may also find older references to a “Repl.it API” for code execution via HTTP/WebSockets. Replit published a blog post years ago describing a code execution API that could run user code in a sandbox environment. That content is valuable historically, but it is not the primary “Replit API” most developers mean in 2026. If you’re building a modern app on Replit today, you typically rely on Replit Apps + Deployments and you implement code execution inside your own infrastructure (or choose a modern sandbox provider), unless Replit explicitly documents a current supported equivalent.

4) Replit Auth (managed authentication)

Replit Auth is Replit’s managed authentication solution that helps you add user accounts, personalized experiences, and access control. Replit positions it as “enterprise-grade authentication” and notes that it works across development domains and published apps. Replit also states that the supported way to implement Replit Auth is through Agent (manual implementation is not supported), and that Auth integrates with your database by automatically creating user entries.

Why Replit Auth matters for API builders

If you’re building an API (your own REST/GraphQL endpoints) inside a Replit App, authentication is usually the difference between a demo and a real product. Replit Auth gives you a fast path to:

  • Login flows (Google/GitHub/X/Apple/Email options as configured in the workspace)
  • User management UI inside Replit (view users, ban users, view details)
  • Safer “published app” access patterns without building auth from scratch
  • Database-backed user records for personalization and entitlements

Auth-driven API patterns

Once you have Auth, you can implement common API patterns cleanly:

  • Session-based API: your frontend includes a session cookie and your backend checks session state.
  • Token-based API: your backend verifies an ID token and attaches a user identity to the request context.
  • Workspace access controls: for internal tools, gate endpoints to only certain users or roles.
Best practice
If you’re building a multi-tenant SaaS, treat user identity (auth) and tenant identity (workspace/team) as separate concepts. Many security bugs happen when a valid user token is accepted but tenant boundaries are not enforced for each request.

Auth + deployments

Replit highlights that Auth works across development and published app domains. That’s important because authentication can break when domains change (dev → prod), especially for redirect URIs and cookie settings. If you use Replit Auth as intended, you reduce the chance of publishing-day surprises.

5) Database & Storage (persistence for your APIs)

Most “it worked in dev but failed in prod” stories are actually persistence mistakes. Replit’s deployments documentation warns against relying on the published app filesystem for saved data and recommends using storage/database options instead.

SQL Database (Replit Database)

Replit provides a built-in SQL Database (described as “Replit Database”) that is integrated into the workspace. Replit’s docs describe it as a fully managed database with built-in tools (SQL runner, schema management, visual data browsing) and include features like “time travel” with Agent checkpoints. Replit also notes that each app includes free storage capacity for the database and that you can connect using a standard PostgreSQL-compatible connection string exposed via environment variables.

Storage options

Replit’s docs also describe storage options beyond the SQL database (such as App Storage for unstructured files). The practical distinction is:

  • Database: structured data (users, projects, subscriptions, rows with relationships)
  • App Storage: unstructured data (images, video uploads, documents, binary blobs)

How to design your API data layer on Replit

Whether you’re building a public API for customers or an internal service, you’ll benefit from treating your storage architecture as a contract:

  • Schema stability: version your schema changes and provide backwards-compatible migrations when possible.
  • Connection safety: pool connections, set timeouts, and keep secrets out of client-side code.
  • Job-friendly writes: long operations (video processing, large imports) should be queued; don’t block HTTP requests.
  • Retention policies: store only what you need; archive/expire data to reduce cost.
Simple rule
Treat deployments as stateless: your app can restart, scale, or move. Put state in Database/Storage. This principle makes your API resilient and easier to scale.

6) Deployments & publishing (how your API becomes production)

Replit’s documentation describes publishing as a snapshot-based process: when you publish, Replit captures the current state of your files and dependencies and runs a separate production instance in Replit’s cloud infrastructure. This makes the app reliably available on the internet, separate from the workspace version you edit.

Deployment types (why they matter for APIs)

Different deployment types exist because apps have different needs. For API builders, the decision is usually driven by traffic patterns:

Deployment type Best for API impact
Static Marketing sites, docs, client-only apps No server runtime; you’d call external APIs, not host one here
Autoscale Spiky traffic, unpredictable workloads Great for APIs with bursts; ensure stateless design + shared DB
Reserved VM Consistent workload, predictable performance Good for stable APIs needing steady throughput

Publishing workflow you should implement

Your “publishing checklist” should look like a production platform checklist:

  • Health endpoint (/healthz) and readiness checks
  • Environment variables set (DB URL, API keys, auth settings)
  • Logs are clean (no secrets, no personal data dumps)
  • Rate limiting and abuse controls enabled
  • Monitoring: error rate, latency, deployment status

Replit’s publishing docs also highlight analytics and monitoring tools, plus access controls (notably available for Teams members). If you’re shipping an API for customers, you should treat monitoring as part of the API product, not an afterthought.

7) Pricing & usage credits (how Replit billing affects APIs)

Replit’s official pricing page shows plan tiers (Starter, Core, Teams, Enterprise) and highlights that paid plans include monthly usage credits: for example, Replit Core includes $25/month in credits, and Teams includes $40/month in usage credits per seat (with credits granted upfront on annual plans). Pricing and plan details can change, but this “credits + pay-as-you-go” model is central to how you forecast costs for deployed APIs.

Deployment pricing and how credits apply

Replit’s deployment pricing docs describe publishing costs as scaling with your app’s needs and state that publishing costs are deducted from monthly credits, with usage-based fees applying after credits are used. The docs also mention plan-specific details like a free published app on the Starter plan (with an expiry window) and link to an interactive pricing calculator for hands-on estimates.

How to budget an API on Replit (real-world method)

A practical budgeting model uses three layers:

  1. Baseline plan cost: Starter/Core/Teams subscription cost
  2. Included monthly credits: credits reduce your variable spend until they’re used
  3. Variable usage: deployment compute, data transfer, and any usage-based services your app consumes

If you’re building a public API, you should also track the cost per request or per customer. Many builders underestimate how quickly a single “heavy endpoint” (file upload, long AI job, complex DB query) can dominate spend. The healthiest approach is to ship an internal cost model early: record approximate compute time, DB time, and data transfer per route, and then adjust pricing or limits accordingly.

Cost control lever you can ship in the UI
Add “tiers” to your own API product: request quotas, concurrency limits, max upload sizes, and paid add-ons. This aligns your customers’ behavior with your underlying Replit usage costs.

Credits don’t roll over (plan for that)

Replit’s deployment pricing documentation notes that unused credits don’t roll over to the next month. That means if you have predictable workloads you might want to size your plan and deployment types to match your expected usage, while for spiky workloads you’ll rely more on usage-based billing.

8) Quotas, limits & rate limiting (what can break your API)

A well-designed API can still fail if the platform limits aren’t understood. Replit’s usage limits documentation distinguishes between hard limits (automatically enforced) and soft limits (consumable resources you agree not to exceed), and it lists areas such as CPU, RAM, storage, concurrent apps, network bandwidth, and restrictions tied to content and network activity.

Hard vs soft limits (why you should care)

Hard limits affect your system behavior immediately: if your app exceeds memory, it can crash; if you exceed concurrent app limits, you can’t run more. Soft limits tend to influence billing or account health and may trigger restrictions if repeatedly exceeded. The practical point is: treat limits as part of your production engineering, not as a legal footnote.

GraphQL platform limits

Replit’s usage limits page explicitly mentions limits on the frequency and size of requests to Replit’s internal GraphQL API. If you build extensions or tools that query platform data, you should:

  • Batch requests where possible
  • Use persisted queries or fixed query templates (avoid dynamic, unbounded queries)
  • Cache results and avoid repeated “same data” fetches
  • Protect against accidental tight loops triggered by UI changes

Outbound data transfer and network constraints

Replit’s pricing page includes outbound data transfer allowances by plan. For an API, data transfer is often the hidden cost: large JSON responses, image downloads, or file proxies can balloon outbound usage. If your API returns large payloads, implement:

  • Compression (gzip/brotli) and pagination
  • Signed URLs for direct-to-storage downloads (don’t proxy big files through your API unnecessarily)
  • Response shaping (only return fields needed by the client)
Rate limiting: your app should have its own limits
Even if the platform has limits, your API should implement per-user and per-IP rate limiting. This prevents one abusive client from burning your usage credits or forcing throttling that affects everyone.

9) Security & key management (don’t leak secrets)

If you publish an app, assume everything in your client code is public. The most common security mistake is exposing API keys in front-end JavaScript, public repos, or logs. Replit also publishes guidance about keeping API keys safe by using Secrets.

Security checklist for Replit-hosted APIs

  • Never expose secrets to the browser: all provider keys stay server-side.
  • Use environment variables / Secrets: avoid committing keys to source control.
  • Redact logs: do not log Authorization headers or raw tokens.
  • Validate inputs: enforce request size limits, content types, and schema validation.
  • Tenant boundaries: if multi-tenant, verify both user identity and tenant ownership per request.

Public APIs: abuse prevention essentials

If you expose an API endpoint to the internet, you should assume it will be probed. Basic protections:

  • Rate limiting + burst control
  • API keys for your customers, rotated and revocable
  • Request logging with privacy-safe redaction
  • Allow-lists for internal endpoints, where appropriate
  • Bot and fraud protections for high-risk flows (especially signup/login)
One-liner principle
“If it’s in the client, it’s public.” Treat secrets and privileged actions as server-only, always.

10) Production architecture patterns (how to ship reliably)

Replit can take you from idea to deployed app quickly, but the reliability of your product depends on your architecture. These patterns are stable across most successful Replit-built APIs.

Pattern A: API + DB + background jobs

Many APIs have “fast endpoints” and “slow operations.” If you do long tasks (AI calls, file processing, imports, heavy queries), don’t do them inside a single HTTP request. Instead:

  1. Client hits POST /jobs (create job)
  2. Server validates request and stores a job record in the database
  3. Background worker processes job and stores results
  4. Client polls GET /jobs/:id or uses a webhook/callback

Pattern B: Autoscale with stateless compute

If you choose an autoscale deployment for a spiky API, statelessness is your friend. Store state in the database/storage and keep your runtime free of “sticky” assumptions. Treat caches as optional accelerators, not correctness requirements.

Pattern C: Observability by default

Build monitoring into your app:

  • Latency per route
  • Error rate per route
  • DB query time and slow query logs
  • Job queue depth and job failure rate
  • Approximate cost drivers (data transfer, heavy endpoints, external provider spend)
Why this matters on Replit
Replit’s plan limits (CPU/RAM/storage/outbound transfer) vary by tier. Observability tells you when you’re close to those limits and what route or job is causing it—so you can fix it before it becomes a user-visible incident.

11) Practical examples (copy/paste patterns)

Example 1: Minimal Express API with health endpoint

// server.js (Node 18+)
import express from "express";
import rateLimit from "express-rate-limit";

const app = express();
app.use(express.json({ limit: "1mb" }));

// Basic rate limiter (adjust for your needs)
app.use(rateLimit({
  windowMs: 60_000,
  max: 120,
  standardHeaders: true,
  legacyHeaders: false
}));

app.get("/healthz", (req, res) => res.status(200).json({ ok: true }));

app.post("/echo", (req, res) => {
  // Validate inputs in real apps
  res.json({ received: req.body });
});

const port = process.env.PORT || 3000;
app.listen(port, () => console.log(`API listening on :${port}`));

Example 2: Postgres connection using DATABASE_URL

// db.js (Node 18+)
// Replit Database docs note you can connect using a Postgres-compatible connection string in env vars.
import pg from "pg";
const { Pool } = pg;

export const pool = new Pool({
  connectionString: process.env.DATABASE_URL,
  max: 10,
  idleTimeoutMillis: 30_000,
  connectionTimeoutMillis: 10_000
});

Example 3: Async job pattern (DB-backed)

// Pseudo-structure
// POST /jobs => create job row { id, status: "queued", input }
// Worker => picks queued jobs, processes, updates { status: "succeeded", result }
// GET /jobs/:id => returns status + result when ready

// Why: avoids request timeouts and scales with autoscale deployments.

Example 4: GraphQL query pattern (extension/tooling)

The exact endpoint URL and schema depend on Replit’s Extensions API reference. But the structure is consistent: you post a GraphQL document and variables, then render results. 

// Generic GraphQL request structure (server-side or extension context)
async function graphqlRequest(endpoint, query, variables, token) {
  const res = await fetch(endpoint, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      "Authorization": `Bearer ${token}`
    },
    body: JSON.stringify({ query, variables })
  });

  const data = await res.json();
  if (data.errors) throw new Error(JSON.stringify(data.errors));
  return data.data;
}

// Tips:
// - Cache results per session
// - Debounce UI-driven calls
// - Keep queries small and stable

Example 5: Publishing readiness checklist (runbook)

Before you publish:
- /healthz returns 200
- DATABASE_URL present (if using Replit Database)
- No secrets in logs / client bundles
- Rate limiting enabled on public endpoints
- Upload endpoints have strict size/type checks
- Observability: request logs + error logs + basic metrics
- Data persistence uses Database/Storage (not filesystem)

12) FAQs

Is there a single “Replit API endpoint” I can call for everything?

Not really. “Replit API” usually refers to multiple surfaces: Extensions API (platform data, GraphQL), plus product services like Auth, Database/Storage, and Deployments. If you’re hosting your own API on Replit, your endpoints are the primary “API” your users call.

What’s the official way to add authentication to my Replit app?

Replit Auth is the managed solution. Replit’s docs state it’s implemented through Agent and includes built-in user management and database integration, working across dev and published domains.

Can I store files on the deployment filesystem?

Replit’s deployments documentation advises against relying on the published app filesystem for persisted data. Use Database/Storage options for persistence.

How do publishing costs work?

Replit’s deployment pricing docs say publishing costs are deducted from monthly credits first, and you pay usage-based fees after credits are used. Check the interactive calculator and current plan credit amounts for up-to-date budgeting.

What limits should I design around?

Plan-based CPU/RAM/storage and outbound transfer allowances are key. Also note that Replit’s usage limits mention restrictions such as limits on outgoing network connections and limits on internal GraphQL request size/frequency. Build with caching, debouncing, and queues.

How do I prevent my usage credits from being burned by abuse?

Implement your own API rate limiting, add authentication for non-trivial endpoints, validate payload sizes and types, and avoid proxying large downloads through your API. For multi-tenant, enforce per-tenant quotas and concurrency limits.

Should I choose autoscale or reserved VM for my API?

Autoscale is a good default for spiky or unpredictable traffic if your app is stateless and uses a shared database. Reserved VM can be better for consistent workloads where predictable performance matters.

Do I need the Extensions API if I’m just hosting a normal web app?

Usually no. Most apps never touch Replit’s platform GraphQL surfaces. You’d focus on building your own API endpoints and using Replit Auth, Database, and Deployments as platform services.

What’s the safest way to manage third-party API keys on Replit?

Store them in Replit Secrets/environment variables, keep them server-side, redact logs, and never embed them in client bundles. Rotate keys periodically and immediately if you suspect exposure.

How can I keep my API fast on Replit?

Use pagination, caching, and database indexes; avoid heavy work in request handlers (move to background jobs); compress responses; and keep payloads small. Monitor latency per route and optimize the slowest 2–3 endpoints first.

13) Official sources (verify current details)

Replit changes quickly, so always confirm the latest plan details, limits, and schemas using official sources:

  • Replit Docs (home): https://docs.replit.com/
  • Replit Pricing (plans + credits + limits): https://replit.com/pricing
  • Deployment pricing (how credits apply): https://docs.replit.com/billing/deployment-pricing
  • Usage quotas & limits (hard/soft limits; GraphQL constraints): https://docs.replit.com/legal-and-security-info/usage
  • Deployments overview: https://docs.replit.com/category/replit-deployments
  • Replit Auth: https://docs.replit.com/replit-workspace/replit-auth
  • SQL Database: https://docs.replit.com/cloud-services/storage-and-databases/sql-database
  • Replit Extensions client repo: https://github.com/replit/extensions
Evergreen tip
If you publish this page on your site, add a “Changelog” section and update it whenever Replit changes credit amounts, deployment pricing, or limits. Those are the most SEO-sensitive and developer-critical details.

Ship checklist (copy into your project)

  • ✅ Build your API with clear contracts (schemas, pagination, error codes)
  • ✅ Use Database/Storage for persistence (avoid relying on deployment filesystem)
  • ✅ Add Auth early if users need accounts or premium access
  • ✅ Implement rate limiting and abuse prevention
  • ✅ Monitor latency, errors, and job queue health
  • ✅ Budget using plan credits + usage-based costs
  • ✅ Design around plan limits (CPU/RAM/storage/outbound transfer)
  • ✅ Keep secrets server-side with environment variables/Secrets